diff --git a/.geppetto-rc.json b/.geppetto-rc.json
new file mode 100644
index 0000000000..7df2329891
--- /dev/null
+++ b/.geppetto-rc.json
@@ -0,0 +1,9 @@
+{
+ "excludes": [
+ "**/contrib/**",
+ "**/examples/**",
+ "**/tests/**",
+ "**/spec/**",
+ "**/pkg/**"
+ ]
+}
diff --git a/.gitignore b/.gitignore
index b5b7a00d67..b5db85e051 100644
--- a/.gitignore
+++ b/.gitignore
@@ -5,3 +5,5 @@ spec/fixtures/
.vagrant/
.bundle/
coverage/
+.idea/
+*.iml
diff --git a/.travis.yml b/.travis.yml
index 86222c2813..bd66c7d1c3 100644
--- a/.travis.yml
+++ b/.travis.yml
@@ -1,6 +1,6 @@
---
language: ruby
-bundler_args: --without development
+bundler_args: --without system_tests
script: "bundle exec rake validate && bundle exec rake lint && bundle exec rake spec SPEC_OPTS='--format documentation'"
matrix:
fast_finish: true
diff --git a/CHANGELOG.md b/CHANGELOG.md
index c2ccb4c6c3..967e8a237d 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,3 +1,62 @@
+##2015-02-17 - Supported Release 1.3.0
+###Summary
+
+This release has many new features and bugfixes, including the ability to optionally not trigger service restarts on config changes.
+
+####Features
+- New parameters - `apache`
+ - `service_manage`
+ - `use_optional_includes`
+- New parameters - `apache::service`
+ - `service_manage`
+- New parameters - `apache::vhost`
+ - `access_logs`
+ - `php_flags`
+ - `php_values`
+ - `modsec_disable_vhost`
+ - `modsec_disable_ids`
+ - `modsec_disable_ips`
+ - `modsec_body_limit`
+- Improved FreeBSD support
+- Add ability to omit priority prefix if `$priority` is set to false
+- Add `apache::security::rule_link` define
+- Improvements to `apache::mod::*`
+ - Add `apache::mod::auth_cass` class
+ - Add `threadlimit`, `listenbacklog`, `maxrequestworkers`, `maxconnectionsperchild` parameters to `apache::mod::event`
+ - Add `apache::mod::filter` class
+ - Add `root_group` to `apache::mod::php`
+ - Add `apache::mod::proxy_connect` class
+ - Add `apache::mod::security` class
+ - Add `ssl_pass_phrase_dialog` and `ssl_random_seed_bytes parameters to `apache::mod::ssl` (MODULES-1719)
+ - Add `status_path` parameter to `apache::mod::status`
+ - Add `apache_version` parameter to `apache::mod::version`
+ - Add `package_name` and `mod_path` parameters to `apache::mod::wsgi` (MODULES-1458)
+- Improved SCL support
+ - Add support for specifying the docroot
+- Updated `_directories.erb` to add support for SetEnv
+- Support multiple access log directives (MODULES-1382)
+- Add passenger support for Debian Jessie
+- Add support for not having puppet restart the apache service (MODULES-1559)
+
+####Bugfixes
+- For apache 2.4 `mod_itk` requires `mod_prefork` (MODULES-825)
+- Allow SSLCACertificatePath to be unset in `apache::vhost` (MODULES-1457)
+- Load fcgid after unixd on RHEL7
+- Allow disabling default vhost for Apache 2.4
+- Test fixes
+- `mod_version` is now built-in (MODULES-1446)
+- Sort LogFormats for idempotency
+- `allow_encoded_slashes` was omitted from `apache::vhost`
+- Fix documentation bug (MODULES-1403, MODULES-1510)
+- Sort `wsgi_script_aliases` for idempotency (MODULES-1384)
+- lint fixes
+- Fix automatic version detection for Debian Jessie
+- Fix error docs and icons path for RHEL7-based systems (MODULES-1554)
+- Sort php_* hashes for idempotency (MODULES-1680)
+- Ensure `mod::setenvif` is included if needed (MODULES-1696)
+- Fix indentation in `vhost/_directories.erb` template (MODULES-1688)
+- Create symlinks on all distros if `vhost_enable_dir` is specified
+
##2014-09-30 - Supported Release 1.2.0
###Summary
diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
index e1288478a2..f1cbde4bbf 100644
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -41,11 +41,9 @@ Checklist (and a short version for the impatient)
* Pre-requisites:
- - Sign the [Contributor License Agreement](https://cla.puppetlabs.com/)
-
- Make sure you have a [GitHub account](https://github.com/join)
- - [Create a ticket](http://projects.puppetlabs.com/projects/modules/issues/new), or [watch the ticket](http://projects.puppetlabs.com/projects/modules/issues) you are patching for.
+ - [Create a ticket](https://tickets.puppetlabs.com/secure/CreateIssue!default.jspa), or [watch the ticket](https://tickets.puppetlabs.com/browse/) you are patching for.
* Preferred method:
@@ -94,17 +92,7 @@ The long version
whitespace or other "whitespace errors". You can do this by
running "git diff --check" on your changes before you commit.
- 2. Sign the Contributor License Agreement
-
- Before we can accept your changes, we do need a signed Puppet
- Labs Contributor License Agreement (CLA).
-
- You can access the CLA via the [Contributor License Agreement link](https://cla.puppetlabs.com/)
-
- If you have any questions about the CLA, please feel free to
- contact Puppet Labs via email at cla-submissions@puppetlabs.com.
-
- 3. Sending your patches
+ 2. Sending your patches
To submit your changes via a GitHub pull request, we _highly_
recommend that you have them on a topic branch, instead of
@@ -124,7 +112,7 @@ The long version
in order to open a pull request.
- 4. Update the related GitHub issue.
+ 3. Update the related GitHub issue.
If there is a GitHub issue associated with the change you
submitted, then you should update the ticket to include the
@@ -220,14 +208,12 @@ review.
Additional Resources
====================
-* [Getting additional help](http://projects.puppetlabs.com/projects/puppet/wiki/Getting_Help)
+* [Getting additional help](http://puppetlabs.com/community/get-help)
* [Writing tests](http://projects.puppetlabs.com/projects/puppet/wiki/Development_Writing_Tests)
* [Patchwork](https://patchwork.puppetlabs.com)
-* [Contributor License Agreement](https://projects.puppetlabs.com/contributor_licenses/sign)
-
* [General GitHub documentation](http://help.github.com/)
* [GitHub pull request documentation](http://help.github.com/send-pull-requests/)
diff --git a/Gemfile b/Gemfile
index e960f7c4b7..62c5693973 100644
--- a/Gemfile
+++ b/Gemfile
@@ -1,15 +1,19 @@
source ENV['GEM_SOURCE'] || "https://rubygems.org"
-group :development, :test do
+group :development, :unit_tests do
gem 'rake', :require => false
- gem 'rspec-puppet', :require => false
+ gem 'rspec-core', '3.1.7', :require => false
+ gem 'rspec-puppet', '~> 1.0', :require => false
gem 'puppetlabs_spec_helper', :require => false
- gem 'serverspec', :require => false
gem 'puppet-lint', :require => false
- gem 'beaker', :require => false
- gem 'beaker-rspec', :require => false
- gem 'pry', :require => false
gem 'simplecov', :require => false
+ gem 'puppet_facts', :require => false
+ gem 'json', :require => false
+end
+
+group :system_tests do
+ gem 'beaker-rspec', :require => false
+ gem 'serverspec', :require => false
end
if facterversion = ENV['FACTER_GEM_VERSION']
diff --git a/README.md b/README.md
index b98749b584..174e58120d 100644
--- a/README.md
+++ b/README.md
@@ -16,15 +16,18 @@
* [Class: apache::default_mods](#class-apachedefault_mods)
* [Defined Type: apache::mod](#defined-type-apachemod)
* [Classes: apache::mod::*](#classes-apachemodname)
+ * [Class: apache::mod::event](#class-apachemodevent)
* [Class: apache::mod::info](#class-apachemodinfo)
* [Class: apache::mod::pagespeed](#class-apachemodpagespeed)
* [Class: apache::mod::php](#class-apachemodphp)
* [Class: apache::mod::ssl](#class-apachemodssl)
+ * [Class: apache::mod::status](#class-apachemodstatus)
* [Class: apache::mod::wsgi](#class-apachemodwsgi)
* [Class: apache::mod::fcgid](#class-apachemodfcgid)
* [Class: apache::mod::negotiation](#class-apachemodnegotiation)
* [Class: apache::mod::deflate](#class-apachemoddeflate)
* [Class: apache::mod::reqtimeout](#class-apachemodreqtimeout)
+ * [Class: apache::mod::security](#class-modsecurity)
* [Class: apache::mod::version](#class-apachemodversion)
* [Defined Type: apache::vhost](#defined-type-apachevhost)
* [Parameter: `directories` for apache::vhost](#parameter-directories-for-apachevhost)
@@ -239,7 +242,7 @@ Changes the location of the configuration directory the main configuration file
#####`confd_dir`
-Changes the location of the configuration directory your custom configuration files are placed in. Defaults to '/etc/httpd/conf' on RedHat, '/etc/apache2' on Debian, and '/usr/local/etc/apache22' on FreeBSD.
+Changes the location of the configuration directory your custom configuration files are placed in. Defaults to '/etc/httpd/conf' on RedHat, '/etc/apache2/conf.d' on Debian, and '/usr/local/etc/apache22' on FreeBSD.
#####`conf_template`
@@ -435,6 +438,10 @@ Determines whether the service should be running. Valid values are 'true', 'fals
Name of the Apache service to run. Defaults to: 'httpd' on RedHat, 'apache2' on Debian, and 'apache22' on FreeBSD.
+#####`service_manage`
+
+Determines whether the HTTPD service state is managed by Puppet . Defaults to 'true'.
+
#####`trace_enable`
Controls how TRACE requests per RFC 2616 are handled. More information about [TraceEnable](http://httpd.apache.org/docs/current/mod/core.html#traceenable). Defaults to 'On'.
@@ -475,6 +482,8 @@ The content of the configuration file. Only one of `$content` and `$source` can
The priority of the configuration file, used for ordering. Defaults to '25'.
+Pass priority `false` to omit the priority prefix in file names.
+
#####`source`
The source of the configuration file. Only one of `$content` and `$source` can be specified.
@@ -511,6 +520,7 @@ There are many `apache::mod::[name]` classes within this module that can be decl
* `actions`
* `alias`
* `auth_basic`
+* `auth_cas`* (see [`apache::mod::auth_cas`](#class-apachemodauthcas) below)
* `auth_kerb`
* `authnz_ldap`*
* `autoindex`
@@ -524,10 +534,11 @@ There are many `apache::mod::[name]` classes within this module that can be decl
* `dev`
* `dir`*
* `disk_cache`
-* `event`
+* `event`(see [`apache::mod::event`](#class-apachemodevent) below)
* `expires`
* `fastcgi`
* `fcgid`
+* `filter`
* `headers`
* `include`
* `info`*
@@ -553,10 +564,11 @@ There are many `apache::mod::[name]` classes within this module that can be decl
* `rewrite`
* `rpaf`*
* `setenvif`
+* `security`
* `shib`* (see [`apache::mod::shib`](#class-apachemodshib) below)
* `speling`
* `ssl`* (see [`apache::mod::ssl`](#class-apachemodssl) below)
-* `status`*
+* `status`* (see [`apache::mod::status`](#class-apachemodstatus) below)
* `suphp`
* `userdir`*
* `vhost_alias`
@@ -568,11 +580,31 @@ Modules noted with a * indicate that the module has settings and, thus, a templa
The modules mentioned above, and other Apache modules that have templates, cause template files to be dropped along with the mod install. The module will not work without the template. Any module without a template installs the package but drops no files.
+####Class: `apache::mod::event`
+
+Installs and manages mpm_event module.
+
+Full Documentation for mpm_event is available from [Apache](https://httpd.apache.org/docs/current/mod/event.html).
+
+To configure the event thread limit:
+
+```puppet
+ class {'apache::mod::event':
+ $threadlimit => '128',
+ }
+```
+
+####Class: `apache::mod::auth_cas`
+
+Installs and manages mod_auth_cas. The parameters `cas_login_url` and `cas_validate_url` are required.
+
+Full documentation on mod_auth_cas is available from [JASIG](https://github.com/Jasig/mod_auth_cas).
+
####Class: `apache::mod::info`
Installs and manages mod_info which provides a comprehensive overview of the server configuration.
-Full documentation for mod_info is available from [Apache](http://httpd.apache.org/docs/2.2/mod/mod_info.html).
+Full documentation for mod_info is available from [Apache](https://httpd.apache.org/docs/current/mod/mod_info.html).
These are the default settings:
@@ -713,14 +745,32 @@ Installs Apache SSL capabilities and uses the ssl.conf.erb template. These are t
```puppet
class { 'apache::mod::ssl':
- ssl_compression => false,
- ssl_options => [ 'StdEnvVars' ],
- ssl_protocol => [ 'all', '-SSLv2', '-SSLv3'],
- }
+ ssl_compression => false,
+ ssl_options => [ 'StdEnvVars' ],
+ ssl_cipher => 'HIGH:MEDIUM:!aNULL:!MD5',
+ ssl_protocol => 'all -SSLv2 -SSLv3',
+ ssl_pass_phrase_dialog => 'builtin',
+ ssl_random_seed_bytes => '512',
+ }
```
To *use* SSL with a virtual host, you must either set the`default_ssl_vhost` parameter in `::apache` to 'true' or set the `ssl` parameter in `apache::vhost` to 'true'.
+####Class: `apache::mod::status`
+
+Installs Apache mod_status and uses the status.conf.erb template. These are the defaults:
+
+```puppet
+ class { 'apache::mod::status':
+ allow_from = ['127.0.0.1','::1'],
+ extended_status = 'On',
+ status_path = '/server-status',
+){
+
+
+ }
+```
+
####Class: `apache::mod::wsgi`
Enables Python support in the WSGI module. To use, simply `include 'apache::mod::wsgi'`.
@@ -735,6 +785,22 @@ For customized parameters, which tell Apache how Python is currently configured
}
```
+To specify an alternate mod\_wsgi package name to install and the name of the module .so it provides,
+(e.g. a "python27-mod\_wsgi" package that provides "python27-mod_wsgi.so" in the default module directory):
+
+```puppet
+ class { 'apache::mod::wsgi':
+ wsgi_socket_prefix => "\${APACHE_RUN_DIR}WSGI",
+ wsgi_python_home => '/path/to/venv',
+ wsgi_python_path => '/path/to/venv/site-packages',
+ package_name => 'python27-mod_wsgi',
+ mod_path => 'python27-mod_wsgi.so',
+ }
+```
+
+If ``mod_path`` does not contain "/", it will be prefixed by the default module path
+for your OS; otherwise, it will be used literally.
+
More information about [WSGI](http://modwsgi.readthedocs.org/en/latest/).
####Class: `apache::mod::fcgid`
@@ -828,7 +894,7 @@ mod_reqtimeout configuration.
}
```
-####Class: `apache::mod::reqtimeout`
+####Class: `apache::mod::version`
This wrapper around mod_version warns on Debian and Ubuntu systems with Apache httpd 2.4
about loading mod_version, as on these platforms it's already built-in.
@@ -843,6 +909,45 @@ A string or an array that sets the `RequestReadTimeout` option. Defaults to
`['header=20-40,MinRate=500', 'body=20,MinRate=500']`.
+####Class: `apache::mod::security`
+
+Installs and configures mod_security. Defaults to enabled and running on all
+vhosts.
+
+```puppet
+ include '::apache::mod::security'
+```
+
+#####`crs_package`
+
+Name of package to install containing crs rules
+
+#####`modsec_dir`
+
+Directory to install the modsec configuration and activated rules links into
+
+#####`activated_rules`
+
+Array of rules from the modsec_crs_path to activate by symlinking to
+${modsec_dir}/activated_rules.
+
+#####`allowed_methods`
+
+HTTP methods allowed by mod_security
+
+#####`content_types`
+
+Content-types allowed by mod_security
+
+#####`restricted_extensions`
+
+Extensions prohibited by mod_security
+
+#####`restricted_headers`
+
+Headers restricted by mod_security
+
+
####Defined Type: `apache::vhost`
The Apache module allows a lot of flexibility in the setup and configuration of virtual hosts. This flexibility is due, in part, to `vhost` being a defined resource type, which allows it to be evaluated multiple times with different parameters.
@@ -875,7 +980,7 @@ If you have a series of specific configurations and do not want a base `::apache
#####`access_log`
-Specifies whether `*_access.log` directives (`*_file`,`*_pipe`, or `*_syslog`) should be configured. Setting the value to 'false' chooses none. Defaults to 'true'.
+Specifies whether `*_access.log` directives (`*_file`,`*_pipe`, or `*_syslog`) should be configured. Setting the value to 'false' chooses none. Defaults to 'true'.
#####`access_log_file`
@@ -907,6 +1012,10 @@ Determines whether the vhost creates a Listen statement. The default value is 't
Setting `add_listen` to 'false' stops the vhost from creating a Listen statement, and this is important when you combine vhosts that are not passed an `ip` parameter with vhosts that *are* passed the `ip` parameter.
+#####`use_optional_includes`
+
+Specifies if for apache > 2.4 it should use IncludeOptional instead of Include for `additional_includes`. Defaults to 'false'.
+
#####`additional_includes`
Specifies paths to additional static, vhost-specific Apache configuration files. Useful for implementing a unique, custom configuration not supported by this module. Can be an array. Defaults to '[]'.
@@ -1077,6 +1186,34 @@ in without being aware of the consequences; see http://httpd.apache.org/docs/2.4
Specifies the verbosity of the error log. Defaults to 'warn' for the global server configuration and can be overridden on a per-vhost basis. Valid values are 'emerg', 'alert', 'crit', 'error', 'warn', 'notice', 'info' or 'debug'.
+######`modsec_body_limit`
+
+Configures the maximum request body size (in bytes) ModSecurity will accept for buffering
+
+######`modsec_disable_vhost`
+
+Boolean. Only valid if apache::mod::security is included. Used to disable mod_security on an individual vhost. Only relevant if apache::mod::security is included.
+
+######`modsec_disable_ids`
+
+Array of mod_security IDs to remove from the vhost. Also takes a hash allowing removal of an ID from a specific location.
+
+```puppet
+ apache::vhost { 'sample.example.net':
+ modsec_disable_ids => [ 90015, 90016 ],
+ }
+```
+
+```puppet
+ apache::vhost { 'sample.example.net':
+ modsec_disable_ids => { '/location1' => [ 90015, 90016 ] },
+ }
+```
+
+######`modsec_disable_ips`
+
+Array of IPs to exclude from mod_security rule matching
+
#####`no_proxy_uris`
Specifies URLs you do not want to proxy. This parameter is meant to be used in combination with [`proxy_dest`](#proxy_dest).
@@ -1122,13 +1259,17 @@ Sets [PassengerStartTimeout](https://www.phusionpassenger.com/documentation/User
Sets [PassengerPreStart](https://www.phusionpassenger.com/documentation/Users%20guide%20Apache.html#PassengerPreStart), the URL of the application if pre-starting is required.
+#####`php_flags & values`
+
+Allows per-vhost setting [`php_value`s or `php_flag`s](http://php.net/manual/en/configuration.changes.php). These flags or values can be overwritten by a user or an application. Defaults to '[]'.
+
#####`php_admin_flags & values`
Allows per-vhost setting [`php_admin_value`s or `php_admin_flag`s](http://php.net/manual/en/configuration.changes.php). These flags or values cannot be overwritten by a user or an application. Defaults to '[]'.
#####`port`
-Sets the port the host is configured on. The module's defaults ensure the host listens on port 80 for non-SSL vhosts and port 443 for SSL vhosts. The host only listens on the port set in this parameter.
+Sets the port the host is configured on. The module's defaults ensure the host listens on port 80 for non-SSL vhosts and port 443 for SSL vhosts. The host only listens on the port set in this parameter.
#####`priority`
@@ -1138,6 +1279,8 @@ If nothing matches the priority, the first name-based vhost is used. Likewise, p
*Note:* You should not need to use this parameter. However, if you do use it, be aware that the `default_vhost` parameter for `apache::vhost` passes a priority of '15'.
+Pass priority `false` to omit the priority prefix in file names.
+
#####`proxy_dest`
Specifies the destination address of a [ProxyPass](http://httpd.apache.org/docs/current/mod/mod_proxy.html#proxypass) configuration. Defaults to 'undef'.
@@ -1176,7 +1319,7 @@ Specifies the address to redirect to. Defaults to 'undef'.
#####`redirect_source`
-Specifies the source URIs that redirect to the destination specified in `redirect_dest`. If more than one item for redirect is supplied, the source and destination must be the same length, and the items are order-dependent.
+Specifies the source URIs that redirect to the destination specified in `redirect_dest`. If more than one item for redirect is supplied, the source and destination must be the same length, and the items are order-dependent.
```puppet
apache::vhost { 'site.name.fdqn':
@@ -1342,6 +1485,14 @@ Sets the servername corresponding to the hostname you connect to the virtual hos
Used by HTTPD to set environment variables for vhosts. Defaults to '[]'.
+Example:
+
+```puppet
+ apache::vhost { 'setenv.example.com':
+ setenv => ['SPECIAL_PATH /foo/bin'],
+ }
+```
+
#####`setenvif`
Used by HTTPD to conditionally set environment variables for vhosts. Defaults to '[]'.
@@ -1427,9 +1578,9 @@ To set up a virtual host with WSGI
The `directories` parameter within the `apache::vhost` class passes an array of hashes to the vhost to create [Directory](http://httpd.apache.org/docs/current/mod/core.html#directory), [File](http://httpd.apache.org/docs/current/mod/core.html#files), and [Location](http://httpd.apache.org/docs/current/mod/core.html#location) directive blocks. These blocks take the form, '< Directory /path/to/directory>...< /Directory>'.
-The `path` key sets the path for the directory, files, and location blocks. Its value must be a path for the 'directory', 'files', and 'location' providers, or a regex for the 'directorymatch', 'filesmatch', or 'locationmatch' providers. Each hash passed to `directories` **must** contain `path` as one of the keys.
+The `path` key sets the path for the directory, files, and location blocks. Its value must be a path for the 'directory', 'files', and 'location' providers, or a regex for the 'directorymatch', 'filesmatch', or 'locationmatch' providers. Each hash passed to `directories` **must** contain `path` as one of the keys.
-The `provider` key is optional. If missing, this key defaults to 'directory'. Valid values for `provider` are 'directory', 'files', 'location', 'directorymatch', 'filesmatch', or 'locationmatch'. If you set `provider` to 'directorymatch', it uses the keyword 'DirectoryMatch' in the Apache config file.
+The `provider` key is optional. If missing, this key defaults to 'directory'. Valid values for `provider` are 'directory', 'files', 'location', 'directorymatch', 'filesmatch', or 'locationmatch'. If you set `provider` to 'directorymatch', it uses the keyword 'DirectoryMatch' in the Apache config file.
General `directories` usage looks something like
@@ -1456,7 +1607,7 @@ Available handlers, represented as keys, should be placed within the `directory`
}
```
-Any handlers you do not set in these hashes are considered 'undefined' within Puppet and are not added to the virtual host, resulting in the module using their default values. Supported handlers are:
+Any handlers you do not set in these hashes are considered 'undefined' within Puppet and are not added to the virtual host, resulting in the module using their default values. Supported handlers are:
######`addhandlers`
@@ -1566,7 +1717,10 @@ Pass a string of custom configuration directives to be placed at the end of the
```puppet
apache::vhost { 'monitor':
…
- custom_fragment => '
+ directories => [
+ {
+ path => '/path/to/directory',
+ custom_fragment => '
SetHandler balancer-manager
Order allow,deny
@@ -1578,12 +1732,14 @@ Pass a string of custom configuration directives to be placed at the end of the
Allow from all
ProxyStatus On',
-}
+ },
+ ]
+ }
```
######`deny`
-Sets a [Deny](http://httpd.apache.org/docs/2.2/mod/mod_authz_host.html#deny) directive, specifying which hosts are denied access to the server. **Deprecated:** This parameter is being deprecated due to a change in Apache. It only works with Apache 2.2 and lower.
+Sets a [Deny](http://httpd.apache.org/docs/2.2/mod/mod_authz_host.html#deny) directive, specifying which hosts are denied access to the server. **Deprecated:** This parameter is being deprecated due to a change in Apache. It only works with Apache 2.2 and lower.
```puppet
apache::vhost { 'sample.example.net':
@@ -1697,16 +1853,20 @@ Sets the value for the [PassengerEnabled](http://www.modrails.com/documentation/
```puppet
apache::vhost { 'sample.example.net':
docroot => '/path/to/directory',
- directories => [
- { path => '/path/to/directory',
+ directories => [
+ { path => '/path/to/directory',
passenger_enabled => 'on',
- },
+ },
],
}
```
*Note:* Be aware that there is an [issue](http://www.conandalton.net/2010/06/passengerenabled-off-not-working.html) using the PassengerEnabled directive with the PassengerHighPerformance directive.
+######`php_value` and `php_flag`
+
+`php_value` sets the value of the directory, and `php_flag` uses a boolean to configure the directory. Further information can be found [here](http://php.net/manual/en/configuration.changes.php).
+
######`php_admin_value` and `php_admin_flag`
`php_admin_value` sets the value of the directory, and `php_admin_flag` uses a boolean to configure the directory. Further information can be found [here](http://php.net/manual/en/configuration.changes.php).
@@ -1734,9 +1894,9 @@ Sets a `SetHandler` directive as per the [Apache Core documentation](http://http
```puppet
apache::vhost { 'sample.example.net':
docroot => '/path/to/directory',
- directories => [
- { path => '/path/to/directory',
- sethandler => 'None',
+ directories => [
+ { path => '/path/to/directory',
+ sethandler => 'None',
}
],
}
@@ -1787,7 +1947,7 @@ Allows an valid content setting to be set or altered for the application request
######`shib_use_headers`
-When set to 'On' this turns on the use of request headers to publish attributes to applications. Valid values for this key is 'On' or 'Off', and the default value is 'Off'. This key is disabled if `apache::mod::shib` is not defined. Check the [`mod_shib` documentation](https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPApacheConfig#NativeSPApacheConfig-Server/VirtualHostOptions) for more details.
+When set to 'On' this turns on the use of request headers to publish attributes to applications. Valid values for this key is 'On' or 'Off', and the default value is 'Off'. This key is disabled if `apache::mod::shib` is not defined. Check the [`mod_shib` documentation](https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPApacheConfig#NativeSPApacheConfig-Server/VirtualHostOptions) for more details.
######`ssl_options`
@@ -1951,7 +2111,7 @@ Within your virtual host, you can then configure the specified file type to be h
```puppet
apache::vhost { 'www':
...
- custom_fragment = 'AddType application/x-httpd-php .php'
+ custom_fragment => 'AddType application/x-httpd-php .php'
...
}
```
@@ -1978,7 +2138,7 @@ A unique alias. This is used internally to link the action with the FastCGI serv
#####`file_type`
-The MIME-type of the file to be processed by the FastCGI server.
+The MIME-type of the file to be processed by the FastCGI server.
###Virtual Host Examples
@@ -2273,6 +2433,7 @@ If you need to use ProxySet in the balancer config
* `apache::peruser::multiplexer`: Enables the [Peruser](http://www.freebsd.org/cgi/url.cgi?ports/www/apache22-peruser-mpm/pkg-descr) module for FreeBSD only.
* `apache::peruser::processor`: Enables the [Peruser](http://www.freebsd.org/cgi/url.cgi?ports/www/apache22-peruser-mpm/pkg-descr) module for FreeBSD only.
+* `apache::security::file_link`: Links the activated_rules from apache::mod::security to the respective CRS rules on disk.
###Templates
@@ -2337,7 +2498,7 @@ Puppet Labs modules on the Puppet Forge are open projects, and community contrib
We want to keep it as easy as possible to contribute changes so that our modules work in your environment. There are a few guidelines that we need contributors to follow so that we can have a chance of keeping on top of things.
-You can read the complete module contribution guide [on the Puppet Labs wiki.](http://projects.puppetlabs.com/projects/module-site/wiki/Module_contributing)
+Read the complete module [contribution guide](https://docs.puppetlabs.com/forge/contributing.html)
###Running tests
diff --git a/README.passenger.md b/README.passenger.md
index 4b4caa8c09..84e6992ffa 100644
--- a/README.passenger.md
+++ b/README.passenger.md
@@ -27,6 +27,7 @@ puppetlabs-apache:
OS | Passenger version | `PassengerRoot`
---------------- | ------------------ | ----------------
Debian 7 | 3.0.13 | /usr
+Debian 8 | 4.0.53 | /usr/lib/ruby/vendor_ruby/phusion_passenger/locations.ini
Ubuntu 12.04 | 2.2.11 | /usr
Ubuntu 14.04 | 4.0.37 | /usr/lib/ruby/vendor_ruby/phusion_passenger/locations.ini
RHEL with EPEL6 | 3.0.21 | /usr/lib/ruby/gems/1.8/gems/passenger-3.0.21
diff --git a/Rakefile b/Rakefile
index 01c85eb991..416807dadc 100644
--- a/Rakefile
+++ b/Rakefile
@@ -1,7 +1,7 @@
require 'puppetlabs_spec_helper/rake_tasks'
require 'puppet-lint/tasks/puppet-lint'
-PuppetLint.configuration.fail_on_warnings
+PuppetLint.configuration.fail_on_warnings = true
PuppetLint.configuration.send('relative')
PuppetLint.configuration.send('disable_80chars')
PuppetLint.configuration.send('disable_class_inherits_from_params_class')
diff --git a/manifests/custom_config.pp b/manifests/custom_config.pp
index cadc2354db..7bd4d3ed8e 100644
--- a/manifests/custom_config.pp
+++ b/manifests/custom_config.pp
@@ -23,8 +23,15 @@
validate_bool($verify_config)
+ if $priority {
+ $priority_prefix = "${priority}-"
+ } else {
+ $priority_prefix = ''
+ }
+
## Apache include does not always work with spaces in the filename
- $filename = regsubst($name, ' ', '_', 'G')
+ $filename_middle = regsubst($name, ' ', '_', 'G')
+ $filename = "${priority_prefix}${filename_middle}.conf"
if ! $verify_config or $ensure == 'absent' {
$notifies = Service['httpd']
@@ -34,7 +41,7 @@
file { "apache_${name}":
ensure => $ensure,
- path => "${confdir}/${priority}-${filename}.conf",
+ path => "${confdir}/${filename}",
content => $content,
source => $source,
require => Package['httpd'],
@@ -51,7 +58,7 @@
}
exec { "remove ${name} if invalid":
- command => "/bin/rm ${confdir}/${priority}-${filename}.conf",
+ command => "/bin/rm ${confdir}/${filename}",
unless => $verify_command,
subscribe => File["apache_${name}"],
refreshonly => true,
diff --git a/manifests/default_mods.pp b/manifests/default_mods.pp
index 09e360a49e..2415464505 100644
--- a/manifests/default_mods.pp
+++ b/manifests/default_mods.pp
@@ -7,7 +7,7 @@
# They are not configurable at this time, so we just include
# them to make sure it works.
case $::osfamily {
- 'redhat', 'freebsd': {
+ 'redhat': {
::apache::mod { 'log_config': }
if versioncmp($apache_version, '2.4') >= 0 {
# Lets fork it
@@ -18,6 +18,10 @@
::apache::mod { 'unixd': }
}
}
+ 'freebsd': {
+ ::apache::mod { 'log_config': }
+ ::apache::mod { 'unixd': }
+ }
default: {}
}
::apache::mod { 'authz_host': }
@@ -74,26 +78,27 @@
include ::apache::mod::version
include ::apache::mod::vhost_alias
include ::apache::mod::speling
+ include ::apache::mod::filter
::apache::mod { 'asis': }
::apache::mod { 'auth_digest': }
- ::apache::mod { 'authn_alias': }
+ ::apache::mod { 'auth_form': }
::apache::mod { 'authn_anon': }
+ ::apache::mod { 'authn_core': }
::apache::mod { 'authn_dbm': }
- ::apache::mod { 'authn_default': }
+ ::apache::mod { 'authn_socache': }
+ ::apache::mod { 'authz_dbd': }
::apache::mod { 'authz_dbm': }
::apache::mod { 'authz_owner': }
- ::apache::mod { 'cern_meta': }
- ::apache::mod { 'charset_lite': }
::apache::mod { 'dumpio': }
::apache::mod { 'expires': }
::apache::mod { 'file_cache': }
- ::apache::mod { 'filter':}
::apache::mod { 'imagemap':}
::apache::mod { 'include': }
::apache::mod { 'logio': }
+ ::apache::mod { 'request': }
+ ::apache::mod { 'session': }
::apache::mod { 'unique_id': }
- ::apache::mod { 'usertrack': }
}
default: {}
}
@@ -121,14 +126,14 @@
::apache::mod { 'authn_file': }
if versioncmp($apache_version, '2.4') >= 0 {
+ # filter is needed by mod_deflate
+ include ::apache::mod::filter
+
# authz_core is needed for 'Require' directive
::apache::mod { 'authz_core':
id => 'authz_core_module',
}
- # filter is needed by mod_deflate
- ::apache::mod { 'filter': }
-
# lots of stuff seems to break without access_compat
::apache::mod { 'access_compat': }
} else {
diff --git a/manifests/init.pp b/manifests/init.pp
index 32966b86f7..f7b89076d8 100644
--- a/manifests/init.pp
+++ b/manifests/init.pp
@@ -28,6 +28,7 @@
$default_ssl_crl_check = undef,
$ip = undef,
$service_enable = true,
+ $service_manage = true,
$service_ensure = 'running',
$purge_configs = true,
$purge_vhost_dir = undef,
@@ -66,12 +67,15 @@
$trace_enable = 'On',
$allow_encoded_slashes = undef,
$package_ensure = 'installed',
+ $use_optional_includes = $::apache::params::use_optional_includes,
) inherits ::apache::params {
validate_bool($default_vhost)
validate_bool($default_ssl_vhost)
validate_bool($default_confd_files)
# true/false is sufficient for both ensure and enable
validate_bool($service_enable)
+ validate_bool($service_manage)
+ validate_bool($use_optional_includes)
$valid_mpms_re = $apache_version ? {
'2.4' => '(event|itk|peruser|prefork|worker)',
@@ -126,6 +130,7 @@
class { '::apache::service':
service_name => $service_name,
service_enable => $service_enable,
+ service_manage => $service_manage,
service_ensure => $service_ensure,
}
@@ -242,22 +247,19 @@
'debian': {
$pidfile = "\${APACHE_PID_FILE}"
$error_log = 'error.log'
- $error_documents_path = '/usr/share/apache2/error'
$scriptalias = '/usr/lib/cgi-bin'
$access_log_file = 'access.log'
}
'redhat': {
$pidfile = 'run/httpd.pid'
$error_log = 'error_log'
- $error_documents_path = '/var/www/error'
$scriptalias = '/var/www/cgi-bin'
$access_log_file = 'access_log'
}
'freebsd': {
$pidfile = '/var/run/httpd.pid'
$error_log = 'httpd-error.log'
- $error_documents_path = '/usr/local/www/apache22/error'
- $scriptalias = '/usr/local/www/apache22/cgi-bin'
+ $scriptalias = '/usr/local/www/apache24/cgi-bin'
$access_log_file = 'httpd-access.log'
}
default: {
diff --git a/manifests/mod.pp b/manifests/mod.pp
index 88cdcd6a5b..0891bf0b77 100644
--- a/manifests/mod.pp
+++ b/manifests/mod.pp
@@ -88,7 +88,7 @@
Exec["mkdir ${mod_dir}"],
],
before => File[$mod_dir],
- notify => Service['httpd'],
+ notify => Class['apache::service'],
}
if $::osfamily == 'Debian' {
@@ -105,7 +105,7 @@
Exec["mkdir ${enable_dir}"],
],
before => File[$enable_dir],
- notify => Service['httpd'],
+ notify => Class['apache::service'],
}
# Each module may have a .conf file as well, which should be
# defined in the class apache::mod::module
@@ -123,7 +123,7 @@
Exec["mkdir ${enable_dir}"],
],
before => File[$enable_dir],
- notify => Service['httpd'],
+ notify => Class['apache::service'],
}
}
}
diff --git a/manifests/mod/alias.pp b/manifests/mod/alias.pp
index ee017b490f..c9f8e4dab1 100644
--- a/manifests/mod/alias.pp
+++ b/manifests/mod/alias.pp
@@ -1,10 +1,15 @@
class apache::mod::alias(
$apache_version = $apache::apache_version
) {
+ $ver24 = versioncmp($apache_version, '2.4') >= 0
+
$icons_path = $::osfamily ? {
'debian' => '/usr/share/apache2/icons',
- 'redhat' => '/var/www/icons',
- 'freebsd' => '/usr/local/www/apache22/icons',
+ 'redhat' => $ver24 ? {
+ true => '/usr/share/httpd/icons',
+ default => '/var/www/icons',
+ },
+ 'freebsd' => '/usr/local/www/apache24/icons',
}
apache::mod { 'alias': }
# Template uses $icons_path
@@ -14,6 +19,6 @@
content => template('apache/mod/alias.conf.erb'),
require => Exec["mkdir ${::apache::mod_dir}"],
before => File[$::apache::mod_dir],
- notify => Service['httpd'],
+ notify => Class['apache::service'],
}
}
diff --git a/manifests/mod/auth_cas.pp b/manifests/mod/auth_cas.pp
new file mode 100644
index 0000000000..fdb5ee80a2
--- /dev/null
+++ b/manifests/mod/auth_cas.pp
@@ -0,0 +1,48 @@
+class apache::mod::auth_cas (
+ $cas_login_url,
+ $cas_validate_url,
+ $cas_cookie_path = $::apache::params::cas_cookie_path,
+ $cas_version = 2,
+ $cas_debug = 'Off',
+ $cas_validate_depth = undef,
+ $cas_certificate_path = undef,
+ $cas_proxy_validate_url = undef,
+ $cas_root_proxied_as = undef,
+ $cas_cookie_entropy = undef,
+ $cas_timeout = undef,
+ $cas_idle_timeout = undef,
+ $cas_cache_clean_interval = undef,
+ $cas_cookie_domain = undef,
+ $cas_cookie_http_only = undef,
+ $cas_authoritative = undef,
+ $suppress_warning = false,
+) {
+
+ validate_string($cas_login_url, $cas_validate_url, $cas_cookie_path)
+
+ if $::osfamily == 'RedHat' and ! $suppress_warning {
+ warning('RedHat distributions do not have Apache mod_auth_cas in their default package repositories.')
+ }
+
+ ::apache::mod { 'auth_cas': }
+
+ file { $cas_cookie_path:
+ ensure => directory,
+ before => File['auth_cas.conf'],
+ mode => '0750',
+ owner => $apache::user,
+ group => $apache::group,
+ }
+
+ # Template uses
+ # - All variables beginning with cas_
+ file { 'auth_cas.conf':
+ ensure => file,
+ path => "${::apache::mod_dir}/auth_cas.conf",
+ content => template('apache/mod/auth_cas.conf.erb'),
+ require => [ Exec["mkdir ${::apache::mod_dir}"], ],
+ before => File[$::apache::mod_dir],
+ notify => Service['httpd'],
+ }
+
+}
diff --git a/manifests/mod/authnz_ldap.pp b/manifests/mod/authnz_ldap.pp
index 800e656e89..b75369ffcd 100644
--- a/manifests/mod/authnz_ldap.pp
+++ b/manifests/mod/authnz_ldap.pp
@@ -14,6 +14,6 @@
content => template('apache/mod/authnz_ldap.conf.erb'),
require => Exec["mkdir ${::apache::mod_dir}"],
before => File[$::apache::mod_dir],
- notify => Service['httpd'],
+ notify => Class['apache::service'],
}
}
diff --git a/manifests/mod/autoindex.pp b/manifests/mod/autoindex.pp
index f5f0f07458..c0969a814e 100644
--- a/manifests/mod/autoindex.pp
+++ b/manifests/mod/autoindex.pp
@@ -7,6 +7,6 @@
content => template('apache/mod/autoindex.conf.erb'),
require => Exec["mkdir ${::apache::mod_dir}"],
before => File[$::apache::mod_dir],
- notify => Service['httpd'],
+ notify => Class['apache::service'],
}
}
diff --git a/manifests/mod/cgi.pp b/manifests/mod/cgi.pp
index 6c3c6aec8d..91352e8c8d 100644
--- a/manifests/mod/cgi.pp
+++ b/manifests/mod/cgi.pp
@@ -1,4 +1,10 @@
class apache::mod::cgi {
- Class['::apache::mod::prefork'] -> Class['::apache::mod::cgi']
+ case $::osfamily {
+ 'FreeBSD': {}
+ default: {
+ Class['::apache::mod::prefork'] -> Class['::apache::mod::cgi']
+ }
+ }
+
::apache::mod { 'cgi': }
}
diff --git a/manifests/mod/cgid.pp b/manifests/mod/cgid.pp
index 2a0c178e01..8946f652b9 100644
--- a/manifests/mod/cgid.pp
+++ b/manifests/mod/cgid.pp
@@ -1,5 +1,10 @@
class apache::mod::cgid {
- Class['::apache::mod::worker'] -> Class['::apache::mod::cgid']
+ case $::osfamily {
+ 'FreeBSD': {}
+ default: {
+ Class['::apache::mod::worker'] -> Class['::apache::mod::cgid']
+ }
+ }
# Debian specifies it's cgid sock path, but RedHat uses the default value
# with no config file
@@ -17,7 +22,7 @@
content => template('apache/mod/cgid.conf.erb'),
require => Exec["mkdir ${::apache::mod_dir}"],
before => File[$::apache::mod_dir],
- notify => Service['httpd'],
+ notify => Class['apache::service'],
}
}
}
diff --git a/manifests/mod/dav_fs.pp b/manifests/mod/dav_fs.pp
index 0cb663f5c5..af037e32d0 100644
--- a/manifests/mod/dav_fs.pp
+++ b/manifests/mod/dav_fs.pp
@@ -15,6 +15,6 @@
content => template('apache/mod/dav_fs.conf.erb'),
require => Exec["mkdir ${::apache::mod_dir}"],
before => File[$::apache::mod_dir],
- notify => Service['httpd'],
+ notify => Class['apache::service'],
}
}
diff --git a/manifests/mod/deflate.pp b/manifests/mod/deflate.pp
index 561cbadbf9..9b8d43621c 100644
--- a/manifests/mod/deflate.pp
+++ b/manifests/mod/deflate.pp
@@ -19,6 +19,6 @@
content => template('apache/mod/deflate.conf.erb'),
require => Exec["mkdir ${::apache::mod_dir}"],
before => File[$::apache::mod_dir],
- notify => Service['httpd'],
+ notify => Class['apache::service'],
}
}
diff --git a/manifests/mod/dir.pp b/manifests/mod/dir.pp
index 11631305a4..6243a1bb7d 100644
--- a/manifests/mod/dir.pp
+++ b/manifests/mod/dir.pp
@@ -16,6 +16,6 @@
content => template('apache/mod/dir.conf.erb'),
require => Exec["mkdir ${::apache::mod_dir}"],
before => File[$::apache::mod_dir],
- notify => Service['httpd'],
+ notify => Class['apache::service'],
}
}
diff --git a/manifests/mod/disk_cache.pp b/manifests/mod/disk_cache.pp
index 13c9c78352..2730809cf1 100644
--- a/manifests/mod/disk_cache.pp
+++ b/manifests/mod/disk_cache.pp
@@ -4,6 +4,12 @@
'redhat' => '/var/cache/mod_proxy',
'freebsd' => '/var/cache/mod_disk_cache',
}
+
+ $mod_name = $::osfamily ? {
+ 'FreeBSD' => 'cache_disk',
+ default => 'disk_cache',
+ }
+
if $::osfamily != 'FreeBSD' {
# FIXME: investigate why disk_cache was dependent on proxy
# NOTE: on FreeBSD disk_cache is compiled by default but proxy is not
@@ -11,7 +17,7 @@
}
Class['::apache::mod::cache'] -> Class['::apache::mod::disk_cache']
- apache::mod { 'disk_cache': }
+ apache::mod { $mod_name: }
# Template uses $cache_proxy
file { 'disk_cache.conf':
ensure => file,
@@ -19,6 +25,6 @@
content => template('apache/mod/disk_cache.conf.erb'),
require => Exec["mkdir ${::apache::mod_dir}"],
before => File[$::apache::mod_dir],
- notify => Service['httpd'],
+ notify => Class['apache::service'],
}
}
diff --git a/manifests/mod/event.pp b/manifests/mod/event.pp
index cb7ed96cd6..18a226ee53 100644
--- a/manifests/mod/event.pp
+++ b/manifests/mod/event.pp
@@ -1,12 +1,16 @@
class apache::mod::event (
- $startservers = '2',
- $maxclients = '150',
- $minsparethreads = '25',
- $maxsparethreads = '75',
- $threadsperchild = '25',
- $maxrequestsperchild = '0',
- $serverlimit = '25',
- $apache_version = $::apache::apache_version,
+ $startservers = '2',
+ $maxclients = '150',
+ $minsparethreads = '25',
+ $maxsparethreads = '75',
+ $threadsperchild = '25',
+ $maxrequestsperchild = '0',
+ $serverlimit = '25',
+ $apache_version = $::apache::apache_version,
+ $threadlimit = '64',
+ $listenbacklog = '511',
+ $maxrequestworkers = '256',
+ $maxconnectionsperchild = '0',
) {
if defined(Class['apache::mod::itk']) {
fail('May not include both apache::mod::event and apache::mod::itk on the same node')
@@ -39,7 +43,7 @@
content => template('apache/mod/event.conf.erb'),
require => Exec["mkdir ${::apache::mod_dir}"],
before => File[$::apache::mod_dir],
- notify => Service['httpd'],
+ notify => Class['apache::service'],
}
case $::osfamily {
diff --git a/manifests/mod/fastcgi.pp b/manifests/mod/fastcgi.pp
index a185bb31fa..1f7e5df4fb 100644
--- a/manifests/mod/fastcgi.pp
+++ b/manifests/mod/fastcgi.pp
@@ -17,7 +17,7 @@
content => template('apache/mod/fastcgi.conf.erb'),
require => Exec["mkdir ${::apache::mod_dir}"],
before => File[$::apache::mod_dir],
- notify => Service['httpd'],
+ notify => Class['apache::service'],
}
}
diff --git a/manifests/mod/fcgid.pp b/manifests/mod/fcgid.pp
index 70761e41d7..a143c2b434 100644
--- a/manifests/mod/fcgid.pp
+++ b/manifests/mod/fcgid.pp
@@ -19,6 +19,6 @@
content => template('apache/mod/fcgid.conf.erb'),
require => Exec["mkdir ${::apache::mod_dir}"],
before => File[$::apache::mod_dir],
- notify => Service['httpd'],
+ notify => Class['apache::service'],
}
}
diff --git a/manifests/mod/filter.pp b/manifests/mod/filter.pp
new file mode 100644
index 0000000000..26dc488b3a
--- /dev/null
+++ b/manifests/mod/filter.pp
@@ -0,0 +1,3 @@
+class apache::mod::filter {
+ ::apache::mod { 'filter': }
+}
diff --git a/manifests/mod/info.pp b/manifests/mod/info.pp
index 2c3d56ed88..f0d03eb0f6 100644
--- a/manifests/mod/info.pp
+++ b/manifests/mod/info.pp
@@ -13,6 +13,6 @@
content => template('apache/mod/info.conf.erb'),
require => Exec["mkdir ${::apache::mod_dir}"],
before => File[$::apache::mod_dir],
- notify => Service['httpd'],
+ notify => Class['apache::service'],
}
}
diff --git a/manifests/mod/itk.pp b/manifests/mod/itk.pp
index 1083e5ed24..49794945d4 100644
--- a/manifests/mod/itk.pp
+++ b/manifests/mod/itk.pp
@@ -13,8 +13,10 @@
if defined(Class['apache::mod::peruser']) {
fail('May not include both apache::mod::itk and apache::mod::peruser on the same node')
}
- if defined(Class['apache::mod::prefork']) {
- fail('May not include both apache::mod::itk and apache::mod::prefork on the same node')
+ if versioncmp($apache_version, '2.4') < 0 {
+ if defined(Class['apache::mod::prefork']) {
+ fail('May not include both apache::mod::itk and apache::mod::prefork on the same node')
+ }
}
if defined(Class['apache::mod::worker']) {
fail('May not include both apache::mod::itk and apache::mod::worker on the same node')
@@ -37,7 +39,7 @@
content => template('apache/mod/itk.conf.erb'),
require => Exec["mkdir ${::apache::mod_dir}"],
before => File[$::apache::mod_dir],
- notify => Service['httpd'],
+ notify => Class['apache::service'],
}
case $::osfamily {
diff --git a/manifests/mod/ldap.pp b/manifests/mod/ldap.pp
index d3b17ff5b8..fbd56d539a 100644
--- a/manifests/mod/ldap.pp
+++ b/manifests/mod/ldap.pp
@@ -9,6 +9,6 @@
content => template('apache/mod/ldap.conf.erb'),
require => Exec["mkdir ${::apache::mod_dir}"],
before => File[$::apache::mod_dir],
- notify => Service['httpd'],
+ notify => Class['apache::service'],
}
}
diff --git a/manifests/mod/mime.pp b/manifests/mod/mime.pp
index ccdb5d4b3c..86000d1679 100644
--- a/manifests/mod/mime.pp
+++ b/manifests/mod/mime.pp
@@ -10,7 +10,7 @@
content => template('apache/mod/mime.conf.erb'),
require => Exec["mkdir ${::apache::mod_dir}"],
before => File[$::apache::mod_dir],
- notify => Service['httpd'],
+ notify => Class['apache::service'],
}
if $mime_support_package {
package { $mime_support_package:
diff --git a/manifests/mod/mime_magic.pp b/manifests/mod/mime_magic.pp
index c276268e4d..c057b01f50 100644
--- a/manifests/mod/mime_magic.pp
+++ b/manifests/mod/mime_magic.pp
@@ -9,6 +9,6 @@
content => template('apache/mod/mime_magic.conf.erb'),
require => Exec["mkdir ${::apache::mod_dir}"],
before => File[$::apache::mod_dir],
- notify => Service['httpd'],
+ notify => Class['apache::service'],
}
}
diff --git a/manifests/mod/negotiation.pp b/manifests/mod/negotiation.pp
index 0bdbfdc3cc..02a3a0e64d 100644
--- a/manifests/mod/negotiation.pp
+++ b/manifests/mod/negotiation.pp
@@ -20,6 +20,6 @@
content => template('apache/mod/negotiation.conf.erb'),
require => Exec["mkdir ${::apache::mod_dir}"],
before => File[$::apache::mod_dir],
- notify => Service['httpd'],
+ notify => Class['apache::service'],
}
}
diff --git a/manifests/mod/nss.pp b/manifests/mod/nss.pp
index f0eff1cdf7..132b41b3f6 100644
--- a/manifests/mod/nss.pp
+++ b/manifests/mod/nss.pp
@@ -20,6 +20,6 @@
content => template('apache/mod/nss.conf.erb'),
require => Exec["mkdir ${::apache::mod_dir}"],
before => File[$::apache::mod_dir],
- notify => Service['httpd'],
+ notify => Class['apache::service'],
}
}
diff --git a/manifests/mod/pagespeed.pp b/manifests/mod/pagespeed.pp
index efe100861d..588849c472 100644
--- a/manifests/mod/pagespeed.pp
+++ b/manifests/mod/pagespeed.pp
@@ -50,6 +50,6 @@
content => template('apache/mod/pagespeed.conf.erb'),
require => Exec["mkdir ${::apache::mod_dir}"],
before => File[$::apache::mod_dir],
- notify => Service['httpd'],
+ notify => Class['apache::service'],
}
}
diff --git a/manifests/mod/passenger.pp b/manifests/mod/passenger.pp
index 12139cb2b4..7ff6b71be3 100644
--- a/manifests/mod/passenger.pp
+++ b/manifests/mod/passenger.pp
@@ -81,6 +81,6 @@
content => template('apache/mod/passenger.conf.erb'),
require => Exec["mkdir ${::apache::mod_dir}"],
before => File[$::apache::mod_dir],
- notify => Service['httpd'],
+ notify => Class['apache::service'],
}
}
diff --git a/manifests/mod/peruser.pp b/manifests/mod/peruser.pp
index 518655a1d4..6b9dfad95f 100644
--- a/manifests/mod/peruser.pp
+++ b/manifests/mod/peruser.pp
@@ -8,66 +8,63 @@
$expiretimeout = '120',
$keepalive = 'Off',
) {
- if defined(Class['apache::mod::event']) {
- fail('May not include both apache::mod::peruser and apache::mod::event on the same node')
- }
- if defined(Class['apache::mod::itk']) {
- fail('May not include both apache::mod::peruser and apache::mod::itk on the same node')
- }
- if defined(Class['apache::mod::prefork']) {
- fail('May not include both apache::mod::peruser and apache::mod::prefork on the same node')
- }
- if defined(Class['apache::mod::worker']) {
- fail('May not include both apache::mod::peruser and apache::mod::worker on the same node')
- }
- File {
- owner => 'root',
- group => $::apache::params::root_group,
- mode => '0644',
- }
-
- $mod_dir = $::apache::mod_dir
-
- # Template uses:
- # - $minspareprocessors
- # - $minprocessors
- # - $maxprocessors
- # - $maxclients
- # - $maxrequestsperchild
- # - $idletimeout
- # - $expiretimeout
- # - $keepalive
- # - $mod_dir
- file { "${::apache::mod_dir}/peruser.conf":
- ensure => file,
- content => template('apache/mod/peruser.conf.erb'),
- require => Exec["mkdir ${::apache::mod_dir}"],
- before => File[$::apache::mod_dir],
- notify => Service['httpd'],
- }
- file { "${::apache::mod_dir}/peruser":
- ensure => directory,
- require => File[$::apache::mod_dir],
- }
- file { "${::apache::mod_dir}/peruser/multiplexers":
- ensure => directory,
- require => File["${::apache::mod_dir}/peruser"],
- }
- file { "${::apache::mod_dir}/peruser/processors":
- ensure => directory,
- require => File["${::apache::mod_dir}/peruser"],
- }
-
- ::apache::peruser::multiplexer { '01-default': }
case $::osfamily {
'freebsd' : {
- class { '::apache::package':
- mpm_module => 'peruser'
- }
+ fail("Unsupported osfamily ${::osfamily}")
}
default: {
- fail("Unsupported osfamily ${::osfamily}")
+ if defined(Class['apache::mod::event']) {
+ fail('May not include both apache::mod::peruser and apache::mod::event on the same node')
+ }
+ if defined(Class['apache::mod::itk']) {
+ fail('May not include both apache::mod::peruser and apache::mod::itk on the same node')
+ }
+ if defined(Class['apache::mod::prefork']) {
+ fail('May not include both apache::mod::peruser and apache::mod::prefork on the same node')
+ }
+ if defined(Class['apache::mod::worker']) {
+ fail('May not include both apache::mod::peruser and apache::mod::worker on the same node')
+ }
+ File {
+ owner => 'root',
+ group => $::apache::params::root_group,
+ mode => '0644',
+ }
+
+ $mod_dir = $::apache::mod_dir
+
+ # Template uses:
+ # - $minspareprocessors
+ # - $minprocessors
+ # - $maxprocessors
+ # - $maxclients
+ # - $maxrequestsperchild
+ # - $idletimeout
+ # - $expiretimeout
+ # - $keepalive
+ # - $mod_dir
+ file { "${::apache::mod_dir}/peruser.conf":
+ ensure => file,
+ content => template('apache/mod/peruser.conf.erb'),
+ require => Exec["mkdir ${::apache::mod_dir}"],
+ before => File[$::apache::mod_dir],
+ notify => Class['apache::service'],
+ }
+ file { "${::apache::mod_dir}/peruser":
+ ensure => directory,
+ require => File[$::apache::mod_dir],
+ }
+ file { "${::apache::mod_dir}/peruser/multiplexers":
+ ensure => directory,
+ require => File["${::apache::mod_dir}/peruser"],
+ }
+ file { "${::apache::mod_dir}/peruser/processors":
+ ensure => directory,
+ require => File["${::apache::mod_dir}/peruser"],
+ }
+
+ ::apache::peruser::multiplexer { '01-default': }
}
}
}
diff --git a/manifests/mod/php.pp b/manifests/mod/php.pp
index c1f76065a6..1d1274f3b4 100644
--- a/manifests/mod/php.pp
+++ b/manifests/mod/php.pp
@@ -6,7 +6,9 @@
$content = undef,
$template = 'apache/mod/php5.conf.erb',
$source = undef,
-) {
+ $root_group = $::apache::params::root_group,
+) inherits apache::params {
+
if defined(Class['::apache::mod::prefork']) {
Class['::apache::mod::prefork']->File['php5.conf']
}
@@ -47,7 +49,7 @@
ensure => file,
path => "${::apache::mod_dir}/php5.conf",
owner => 'root',
- group => 'root',
+ group => $root_group,
mode => '0644',
content => $manage_content,
source => $source,
@@ -55,6 +57,6 @@
Exec["mkdir ${::apache::mod_dir}"],
],
before => File[$::apache::mod_dir],
- notify => Service['httpd'],
+ notify => Class['apache::service'],
}
}
diff --git a/manifests/mod/prefork.pp b/manifests/mod/prefork.pp
index b3adeae8c8..90fa39a89c 100644
--- a/manifests/mod/prefork.pp
+++ b/manifests/mod/prefork.pp
@@ -10,8 +10,10 @@
if defined(Class['apache::mod::event']) {
fail('May not include both apache::mod::prefork and apache::mod::event on the same node')
}
- if defined(Class['apache::mod::itk']) {
- fail('May not include both apache::mod::prefork and apache::mod::itk on the same node')
+ if versioncmp($apache_version, '2.4') < 0 {
+ if defined(Class['apache::mod::itk']) {
+ fail('May not include both apache::mod::prefork and apache::mod::itk on the same node')
+ }
}
if defined(Class['apache::mod::peruser']) {
fail('May not include both apache::mod::prefork and apache::mod::peruser on the same node')
@@ -37,7 +39,7 @@
content => template('apache/mod/prefork.conf.erb'),
require => Exec["mkdir ${::apache::mod_dir}"],
before => File[$::apache::mod_dir],
- notify => Service['httpd'],
+ notify => Class['apache::service'],
}
case $::osfamily {
@@ -54,7 +56,7 @@
line => '#HTTPD=/usr/sbin/httpd.worker',
match => '#?HTTPD=/usr/sbin/httpd.worker',
require => Package['httpd'],
- notify => Service['httpd'],
+ notify => Class['apache::service'],
}
}
}
diff --git a/manifests/mod/proxy.pp b/manifests/mod/proxy.pp
index 03c1e78c95..8c685d55b5 100644
--- a/manifests/mod/proxy.pp
+++ b/manifests/mod/proxy.pp
@@ -11,6 +11,6 @@
content => template('apache/mod/proxy.conf.erb'),
require => Exec["mkdir ${::apache::mod_dir}"],
before => File[$::apache::mod_dir],
- notify => Service['httpd'],
+ notify => Class['apache::service'],
}
}
diff --git a/manifests/mod/proxy_connect.pp b/manifests/mod/proxy_connect.pp
new file mode 100644
index 0000000000..3bae848446
--- /dev/null
+++ b/manifests/mod/proxy_connect.pp
@@ -0,0 +1,8 @@
+class apache::mod::proxy_connect (
+ $apache_version = $::apache::apache_version,
+) {
+ if versioncmp($apache_version, '2.4') >= 0 {
+ Class['::apache::mod::proxy'] -> Class['::apache::mod::proxy_connect']
+ ::apache::mod { 'proxy_connect': }
+ }
+}
diff --git a/manifests/mod/proxy_html.pp b/manifests/mod/proxy_html.pp
index 549eb117fa..279cb64ade 100644
--- a/manifests/mod/proxy_html.pp
+++ b/manifests/mod/proxy_html.pp
@@ -32,6 +32,6 @@
content => template('apache/mod/proxy_html.conf.erb'),
require => Exec["mkdir ${::apache::mod_dir}"],
before => File[$::apache::mod_dir],
- notify => Service['httpd'],
+ notify => Class['apache::service'],
}
}
diff --git a/manifests/mod/reqtimeout.pp b/manifests/mod/reqtimeout.pp
index 62088873bb..34c96a6784 100644
--- a/manifests/mod/reqtimeout.pp
+++ b/manifests/mod/reqtimeout.pp
@@ -9,6 +9,6 @@
content => template('apache/mod/reqtimeout.conf.erb'),
require => Exec["mkdir ${::apache::mod_dir}"],
before => File[$::apache::mod_dir],
- notify => Service['httpd'],
+ notify => Class['apache::service'],
}
}
diff --git a/manifests/mod/rpaf.pp b/manifests/mod/rpaf.pp
index 6fbc1d4e04..12b86eb8bd 100644
--- a/manifests/mod/rpaf.pp
+++ b/manifests/mod/rpaf.pp
@@ -15,6 +15,6 @@
content => template('apache/mod/rpaf.conf.erb'),
require => Exec["mkdir ${::apache::mod_dir}"],
before => File[$::apache::mod_dir],
- notify => Service['httpd'],
+ notify => Class['apache::service'],
}
}
diff --git a/manifests/mod/security.pp b/manifests/mod/security.pp
new file mode 100644
index 0000000000..84e55e2921
--- /dev/null
+++ b/manifests/mod/security.pp
@@ -0,0 +1,75 @@
+class apache::mod::security (
+ $crs_package = $::apache::params::modsec_crs_package,
+ $activated_rules = $::apache::params::modsec_default_rules,
+ $modsec_dir = $::apache::params::modsec_dir,
+ $allowed_methods = 'GET HEAD POST OPTIONS',
+ $content_types = 'application/x-www-form-urlencoded|multipart/form-data|text/xml|application/xml|application/x-amf',
+ $restricted_extensions = '.asa/ .asax/ .ascx/ .axd/ .backup/ .bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ .conf/ .cs/ .csproj/ .csr/ .dat/ .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/ .ini/ .key/ .licx/ .lnk/ .log/ .mdb/ .old/ .pass/ .pdb/ .pol/ .printer/ .pwd/ .resources/ .resx/ .sql/ .sys/ .vb/ .vbs/ .vbproj/ .vsdisco/ .webinfo/ .xsd/ .xsx/',
+ $restricted_headers = '/Proxy-Connection/ /Lock-Token/ /Content-Range/ /Translate/ /via/ /if/',
+){
+
+ if $::osfamily == 'FreeBSD' {
+ fail('FreeBSD is not currently supported')
+ }
+
+ ::apache::mod { 'security':
+ id => 'security2_module',
+ lib => 'mod_security2.so',
+ }
+
+ ::apache::mod { 'unique_id_module':
+ id => 'unique_id_module',
+ lib => 'mod_unique_id.so',
+ }
+
+ if $crs_package {
+ package { $crs_package:
+ ensure => 'latest',
+ before => File['security.conf'],
+ }
+ }
+
+ # Template uses:
+ # - $modsec_dir
+ file { 'security.conf':
+ ensure => file,
+ content => template('apache/mod/security.conf.erb'),
+ path => "${::apache::mod_dir}/security.conf",
+ owner => $::apache::params::user,
+ group => $::apache::params::group,
+ require => Exec["mkdir ${::apache::mod_dir}"],
+ before => File[$::apache::mod_dir],
+ notify => Class['apache::service'],
+ }
+
+ file { $modsec_dir:
+ ensure => directory,
+ owner => $::apache::params::user,
+ group => $::apache::params::group,
+ mode => '0555',
+ purge => true,
+ force => true,
+ recurse => true,
+ }
+
+ file { "${modsec_dir}/activated_rules":
+ ensure => directory,
+ owner => $::apache::params::user,
+ group => $::apache::params::group,
+ mode => '0555',
+ purge => true,
+ force => true,
+ recurse => true,
+ notify => Class['apache::service'],
+ }
+
+ file { "${modsec_dir}/security_crs.conf":
+ ensure => file,
+ content => template('apache/mod/security_crs.conf.erb'),
+ require => File[$modsec_dir],
+ notify => Class['apache::service'],
+ }
+
+ apache::security::rule_link { $activated_rules: }
+
+}
diff --git a/manifests/mod/setenvif.pp b/manifests/mod/setenvif.pp
index 15b1441d83..c73102dfbe 100644
--- a/manifests/mod/setenvif.pp
+++ b/manifests/mod/setenvif.pp
@@ -7,6 +7,6 @@
content => template('apache/mod/setenvif.conf.erb'),
require => Exec["mkdir ${::apache::mod_dir}"],
before => File[$::apache::mod_dir],
- notify => Service['httpd'],
+ notify => Class['apache::service'],
}
}
diff --git a/manifests/mod/ssl.pp b/manifests/mod/ssl.pp
index 293e9319cc..f2b62459e3 100644
--- a/manifests/mod/ssl.pp
+++ b/manifests/mod/ssl.pp
@@ -1,10 +1,12 @@
class apache::mod::ssl (
- $ssl_compression = false,
- $ssl_options = [ 'StdEnvVars' ],
- $ssl_cipher = 'HIGH:MEDIUM:!aNULL:!MD5',
- $ssl_protocol = [ 'all', '-SSLv2', '-SSLv3' ],
- $apache_version = $::apache::apache_version,
- $package_name = undef,
+ $ssl_compression = false,
+ $ssl_options = [ 'StdEnvVars' ],
+ $ssl_cipher = 'HIGH:MEDIUM:!aNULL:!MD5',
+ $ssl_protocol = [ 'all', '-SSLv2', '-SSLv3' ],
+ $ssl_pass_phrase_dialog = 'builtin',
+ $ssl_random_seed_bytes = '512',
+ $apache_version = $::apache::apache_version,
+ $package_name = undef,
) {
$session_cache = $::osfamily ? {
'debian' => "\${APACHE_RUN_DIR}/ssl_scache(512000)",
@@ -55,6 +57,6 @@
content => template('apache/mod/ssl.conf.erb'),
require => Exec["mkdir ${::apache::mod_dir}"],
before => File[$::apache::mod_dir],
- notify => Service['httpd'],
+ notify => Class['apache::service'],
}
}
diff --git a/manifests/mod/status.pp b/manifests/mod/status.pp
index cfab5d58ea..4c3f8d9e25 100644
--- a/manifests/mod/status.pp
+++ b/manifests/mod/status.pp
@@ -9,7 +9,9 @@
# /server-status URL. Defaults to ['127.0.0.1', '::1'].
# - $extended_status track and display extended status information. Valid
# values are 'On' or 'Off'. Defaults to 'On'.
-#
+# - $status_path is the path assigned to the Location directive which
+# defines the URL to access the server status. Defaults to '/server-status'.
+#
# Actions:
# - Enable and configure Apache mod_status
#
@@ -27,17 +29,18 @@
$allow_from = ['127.0.0.1','::1'],
$extended_status = 'On',
$apache_version = $::apache::apache_version,
+ $status_path = '/server-status',
){
validate_array($allow_from)
validate_re(downcase($extended_status), '^(on|off)$', "${extended_status} is not supported for extended_status. Allowed values are 'On' and 'Off'.")
::apache::mod { 'status': }
- # Template uses $allow_from, $extended_status, $apache_version
+ # Template uses $allow_from, $extended_status, $apache_version, $status_path
file { 'status.conf':
ensure => file,
path => "${::apache::mod_dir}/status.conf",
content => template('apache/mod/status.conf.erb'),
require => Exec["mkdir ${::apache::mod_dir}"],
before => File[$::apache::mod_dir],
- notify => Service['httpd'],
+ notify => Class['apache::service'],
}
}
diff --git a/manifests/mod/suphp.pp b/manifests/mod/suphp.pp
index f9a572f463..c50beea06c 100644
--- a/manifests/mod/suphp.pp
+++ b/manifests/mod/suphp.pp
@@ -8,7 +8,7 @@
content => template('apache/mod/suphp.conf.erb'),
require => Exec["mkdir ${::apache::mod_dir}"],
before => File[$::apache::mod_dir],
- notify => Service['httpd']
+ notify => Class['apache::service'],
}
}
diff --git a/manifests/mod/userdir.pp b/manifests/mod/userdir.pp
index accfe64a79..038e0790bc 100644
--- a/manifests/mod/userdir.pp
+++ b/manifests/mod/userdir.pp
@@ -13,6 +13,6 @@
content => template('apache/mod/userdir.conf.erb'),
require => Exec["mkdir ${::apache::mod_dir}"],
before => File[$::apache::mod_dir],
- notify => Service['httpd'],
+ notify => Class['apache::service'],
}
}
diff --git a/manifests/mod/version.pp b/manifests/mod/version.pp
index c0e405686a..1cc4412e1d 100644
--- a/manifests/mod/version.pp
+++ b/manifests/mod/version.pp
@@ -1,4 +1,6 @@
-class apache::mod::version {
+class apache::mod::version(
+ $apache_version = $::apache::apache_version
+) {
if ($::osfamily == 'debian' and versioncmp($apache_version, '2.4') >= 0) {
warning("${module_name}: module version_module is built-in and can't be loaded")
diff --git a/manifests/mod/worker.pp b/manifests/mod/worker.pp
index 0d2815964b..48d1c9f229 100644
--- a/manifests/mod/worker.pp
+++ b/manifests/mod/worker.pp
@@ -41,7 +41,7 @@
content => template('apache/mod/worker.conf.erb'),
require => Exec["mkdir ${::apache::mod_dir}"],
before => File[$::apache::mod_dir],
- notify => Service['httpd'],
+ notify => Class['apache::service'],
}
case $::osfamily {
@@ -58,7 +58,7 @@
line => 'HTTPD=/usr/sbin/httpd.worker',
match => '#?HTTPD=/usr/sbin/httpd.worker',
require => Package['httpd'],
- notify => Service['httpd'],
+ notify => Class['apache::service'],
}
}
}
diff --git a/manifests/mod/wsgi.pp b/manifests/mod/wsgi.pp
index 2a47bb68e3..80f9738ff9 100644
--- a/manifests/mod/wsgi.pp
+++ b/manifests/mod/wsgi.pp
@@ -2,8 +2,28 @@
$wsgi_socket_prefix = $::apache::params::wsgi_socket_prefix,
$wsgi_python_path = undef,
$wsgi_python_home = undef,
+ $package_name = undef,
+ $mod_path = undef,
){
- ::apache::mod { 'wsgi': }
+
+ if ($package_name != undef and $mod_path == undef) or ($package_name == undef and $mod_path != undef) {
+ fail('apache::mod::wsgi - both package_name and mod_path must be specified!')
+ }
+
+ if $package_name != undef {
+ if $mod_path =~ /\// {
+ $_mod_path = $mod_path
+ } else {
+ $_mod_path = "${::apache::params::lib_path}/${mod_path}"
+ }
+ ::apache::mod { 'wsgi':
+ package => $package_name,
+ path => $_mod_path,
+ }
+ }
+ else {
+ ::apache::mod { 'wsgi': }
+ }
# Template uses:
# - $wsgi_socket_prefix
@@ -15,7 +35,7 @@
content => template('apache/mod/wsgi.conf.erb'),
require => Exec["mkdir ${::apache::mod_dir}"],
before => File[$::apache::mod_dir],
- notify => Service['httpd']
+ notify => Class['apache::service'],
}
}
diff --git a/manifests/mpm.pp b/manifests/mpm.pp
index 6437016ba7..2b33634f29 100644
--- a/manifests/mpm.pp
+++ b/manifests/mpm.pp
@@ -13,7 +13,10 @@
$_path = "${lib_path}/${_lib}"
$_id = "mpm_${mpm}_module"
- if versioncmp($apache_version, '2.4') >= 0 {
+ if versioncmp($apache_version, '2.4') >= 0 and
+ (($::osfamily != 'FreeBSD') or
+ ($::osfamily == 'FreeBSD' and $mpm == 'itk')) {
+
file { "${mod_dir}/${mpm}.load":
ensure => file,
path => "${mod_dir}/${mpm}.load",
@@ -23,7 +26,7 @@
Exec["mkdir ${mod_dir}"],
],
before => File[$mod_dir],
- notify => Service['httpd'],
+ notify => Class['apache::service'],
}
}
@@ -34,7 +37,7 @@
target => "${::apache::mod_dir}/${mpm}.conf",
require => Exec["mkdir ${::apache::mod_enable_dir}"],
before => File[$::apache::mod_enable_dir],
- notify => Service['httpd'],
+ notify => Class['apache::service'],
}
if versioncmp($apache_version, '2.4') >= 0 {
@@ -43,7 +46,14 @@
target => "${::apache::mod_dir}/${mpm}.load",
require => Exec["mkdir ${::apache::mod_enable_dir}"],
before => File[$::apache::mod_enable_dir],
- notify => Service['httpd'],
+ notify => Class['apache::service'],
+ }
+
+ if $mpm == 'itk' {
+ file { "${lib_path}/mod_mpm_itk.so":
+ ensure => link,
+ target => "${lib_path}/mpm_itk.so"
+ }
}
}
diff --git a/manifests/package.pp b/manifests/package.pp
index a4e4015c52..395c03103c 100644
--- a/manifests/package.pp
+++ b/manifests/package.pp
@@ -3,43 +3,54 @@
$mpm_module = $::apache::params::mpm_module,
) inherits ::apache::params {
case $::osfamily {
- 'freebsd' : {
- $all_mpms = [
- 'www/apache22',
- 'www/apache22-worker-mpm',
- 'www/apache22-event-mpm',
- 'www/apache22-itk-mpm',
- 'www/apache22-peruser-mpm',
- ]
- if $mpm_module {
- $apache_package = $mpm_module ? {
- 'prefork' => 'www/apache22',
- default => "www/apache22-${mpm_module}-mpm"
+ 'FreeBSD': {
+ case $mpm_module {
+ 'prefork': {
+ $set = 'MPM_PREFORK'
+ $unset = 'MPM_WORKER MPM_EVENT'
}
- } else {
- $apache_package = 'www/apache22'
+ 'worker': {
+ $set = 'MPM_WORKER'
+ $unset = 'MPM_PERFORK MPM_EVENT'
+ }
+ 'event': {
+ $set = 'MPM_EVENT'
+ $unset = 'MPM_PERFORK MPM_WORKER'
+ }
+ 'itk': {
+ $set = undef
+ $unset = undef
+ package { 'www/mod_mpm_itk':
+ ensure => installed,
+ }
+ }
+ default: { fail("MPM module ${mpm_module} not supported on FreeBSD") }
}
- $other_mpms = delete($all_mpms, $apache_package)
- # Configure ports to have apache module packages dependent on correct
- # version of apache package (apache22, apache22-worker-mpm, ...)
- file_line { 'APACHE_PORT in /etc/make.conf':
- ensure => $ensure,
- path => '/etc/make.conf',
- line => "APACHE_PORT=${apache_package}",
- match => '^\s*#?\s*APACHE_PORT\s*=\s*',
- before => Package['httpd'],
+
+ # Configure ports to have apache build options set correctly
+ if $set {
+ file_line { 'apache SET options in /etc/make.conf':
+ ensure => $ensure,
+ path => '/etc/make.conf',
+ line => "apache24_SET_FORCE=${set}",
+ match => '^apache24_SET_FORCE=.*',
+ before => Package['httpd'],
+ }
+ file_line { 'apache UNSET options in /etc/make.conf':
+ ensure => $ensure,
+ path => '/etc/make.conf',
+ line => "apache24_UNSET_FORCE=${unset}",
+ match => '^apache24_UNSET_FORCE=.*',
+ before => Package['httpd'],
+ }
}
- # remove other packages
- ensure_resource('package', $other_mpms, {
- ensure => absent,
- before => Package['httpd'],
- require => File_line['APACHE_PORT in /etc/make.conf'],
- })
+ $apache_package = $::apache::params::apache_name
}
default: {
$apache_package = $::apache::params::apache_name
}
}
+
package { 'httpd':
ensure => $ensure,
name => $apache_package,
diff --git a/manifests/params.pp b/manifests/params.pp
index 6a221fd633..add2d94aed 100644
--- a/manifests/params.pp
+++ b/manifests/params.pp
@@ -27,6 +27,7 @@
# The default error log level
$log_level = 'warn'
+ $use_optional_includes = false
if $::operatingsystem == 'Ubuntu' and $::lsbdistrelease == '10.04' {
$verify_command = '/usr/sbin/apache2ctl -t'
@@ -66,7 +67,9 @@
$suphp_engine = 'off'
$suphp_configpath = undef
# NOTE: The module for Shibboleth is not available to RH/CentOS without an additional repository. http://wiki.aaf.edu.au/tech-info/sp-install-guide
+ # NOTE: The auth_cas module isn't available to RH/CentOS without enabling EPEL.
$mod_packages = {
+ 'auth_cas' => 'mod_auth_cas',
'auth_kerb' => 'mod_auth_kerb',
'authnz_ldap' => $::apache::version::distrelease ? {
'7' => 'mod_ldap',
@@ -83,6 +86,7 @@
},
'proxy_html' => 'mod_proxy_html',
'python' => 'mod_python',
+ 'security' => 'mod_security',
'shibboleth' => 'shibboleth',
'ssl' => 'mod_ssl',
'wsgi' => 'mod_wsgi',
@@ -104,11 +108,42 @@
$mime_support_package = 'mailcap'
$mime_types_config = '/etc/mime.types'
$docroot = '/var/www/html'
- if $::osfamily == "RedHat" {
+ $error_documents_path = $::apache::version::distrelease ? {
+ '7' => '/usr/share/httpd/error',
+ default => '/var/www/error'
+ }
+ if $::osfamily == 'RedHat' {
$wsgi_socket_prefix = '/var/run/wsgi'
} else {
$wsgi_socket_prefix = undef
}
+ $cas_cookie_path = '/var/cache/mod_auth_cas/'
+ $modsec_crs_package = 'mod_security_crs'
+ $modsec_crs_path = '/usr/lib/modsecurity.d'
+ $modsec_dir = '/etc/httpd/modsecurity.d'
+ $modsec_default_rules = [
+ 'base_rules/modsecurity_35_bad_robots.data',
+ 'base_rules/modsecurity_35_scanners.data',
+ 'base_rules/modsecurity_40_generic_attacks.data',
+ 'base_rules/modsecurity_41_sql_injection_attacks.data',
+ 'base_rules/modsecurity_50_outbound.data',
+ 'base_rules/modsecurity_50_outbound_malware.data',
+ 'base_rules/modsecurity_crs_20_protocol_violations.conf',
+ 'base_rules/modsecurity_crs_21_protocol_anomalies.conf',
+ 'base_rules/modsecurity_crs_23_request_limits.conf',
+ 'base_rules/modsecurity_crs_30_http_policy.conf',
+ 'base_rules/modsecurity_crs_35_bad_robots.conf',
+ 'base_rules/modsecurity_crs_40_generic_attacks.conf',
+ 'base_rules/modsecurity_crs_41_sql_injection_attacks.conf',
+ 'base_rules/modsecurity_crs_41_xss_attacks.conf',
+ 'base_rules/modsecurity_crs_42_tight_security.conf',
+ 'base_rules/modsecurity_crs_45_trojans.conf',
+ 'base_rules/modsecurity_crs_47_common_exceptions.conf',
+ 'base_rules/modsecurity_crs_49_inbound_blocking.conf',
+ 'base_rules/modsecurity_crs_50_outbound.conf',
+ 'base_rules/modsecurity_crs_59_outbound_blocking.conf',
+ 'base_rules/modsecurity_crs_60_correlation.conf'
+ ]
} elsif $::osfamily == 'Debian' {
$user = 'www-data'
$group = 'www-data'
@@ -137,6 +172,7 @@
$suphp_engine = 'off'
$suphp_configpath = '/etc/php5/apache2'
$mod_packages = {
+ 'auth_cas' => 'libapache2-mod-auth-cas',
'auth_kerb' => 'libapache2-mod-auth-kerb',
'dav_svn' => 'libapache2-svn',
'fastcgi' => 'libapache2-mod-fastcgi',
@@ -149,6 +185,7 @@
'proxy_html' => 'libapache2-mod-proxy-html',
'python' => 'libapache2-mod-python',
'rpaf' => 'libapache2-mod-rpaf',
+ 'security' => 'libapache2-modsecurity',
'suphp' => 'libapache2-mod-suphp',
'wsgi' => 'libapache2-mod-wsgi',
'xsendfile' => 'libapache2-mod-xsendfile',
@@ -165,6 +202,34 @@
$mime_support_package = 'mime-support'
$mime_types_config = '/etc/mime.types'
$docroot = '/var/www'
+ $cas_cookie_path = '/var/cache/apache2/mod_auth_cas/'
+ $modsec_crs_package = 'modsecurity-crs'
+ $modsec_crs_path = '/usr/share/modsecurity-crs'
+ $modsec_dir = '/etc/modsecurity'
+ $modsec_default_rules = [
+ 'base_rules/modsecurity_35_bad_robots.data',
+ 'base_rules/modsecurity_35_scanners.data',
+ 'base_rules/modsecurity_40_generic_attacks.data',
+ 'base_rules/modsecurity_41_sql_injection_attacks.data',
+ 'base_rules/modsecurity_50_outbound.data',
+ 'base_rules/modsecurity_50_outbound_malware.data',
+ 'base_rules/modsecurity_crs_20_protocol_violations.conf',
+ 'base_rules/modsecurity_crs_21_protocol_anomalies.conf',
+ 'base_rules/modsecurity_crs_23_request_limits.conf',
+ 'base_rules/modsecurity_crs_30_http_policy.conf',
+ 'base_rules/modsecurity_crs_35_bad_robots.conf',
+ 'base_rules/modsecurity_crs_40_generic_attacks.conf',
+ 'base_rules/modsecurity_crs_41_sql_injection_attacks.conf',
+ 'base_rules/modsecurity_crs_41_xss_attacks.conf',
+ 'base_rules/modsecurity_crs_42_tight_security.conf',
+ 'base_rules/modsecurity_crs_45_trojans.conf',
+ 'base_rules/modsecurity_crs_47_common_exceptions.conf',
+ 'base_rules/modsecurity_crs_49_inbound_blocking.conf',
+ 'base_rules/modsecurity_crs_50_outbound.conf',
+ 'base_rules/modsecurity_crs_59_outbound_blocking.conf',
+ 'base_rules/modsecurity_crs_60_correlation.conf'
+ ]
+ $error_documents_path = '/usr/share/apache2/error'
#
# Passenger-specific settings
@@ -202,6 +267,11 @@
$passenger_ruby = '/usr/bin/ruby'
$passenger_default_ruby = undef
}
+ 'jessie': {
+ $passenger_root = '/usr/lib/ruby/vendor_ruby/phusion_passenger/locations.ini'
+ $passenger_ruby = undef
+ $passenger_default_ruby = '/usr/bin/ruby'
+ }
default: {
# The following settings may or may not work on Debian releases not
# supported by this module.
@@ -217,9 +287,9 @@
$user = 'www'
$group = 'www'
$root_group = 'wheel'
- $apache_name = 'apache22'
- $service_name = 'apache22'
- $httpd_dir = '/usr/local/etc/apache22'
+ $apache_name = 'apache24'
+ $service_name = 'apache24'
+ $httpd_dir = '/usr/local/etc/apache24'
$server_root = '/usr/local'
$conf_dir = $httpd_dir
$confd_dir = "${httpd_dir}/Includes"
@@ -229,14 +299,14 @@
$vhost_enable_dir = undef
$conf_file = 'httpd.conf'
$ports_file = "${conf_dir}/ports.conf"
- $logroot = '/var/log/apache22'
+ $logroot = '/var/log/apache24'
$logroot_mode = undef
- $lib_path = '/usr/local/libexec/apache22'
+ $lib_path = '/usr/local/libexec/apache24'
$mpm_module = 'prefork'
$dev_packages = undef
- $default_ssl_cert = '/usr/local/etc/apache22/server.crt'
- $default_ssl_key = '/usr/local/etc/apache22/server.key'
- $ssl_certs_dir = '/usr/local/etc/apache22'
+ $default_ssl_cert = '/usr/local/etc/apache24/server.crt'
+ $default_ssl_key = '/usr/local/etc/apache24/server.key'
+ $ssl_certs_dir = '/usr/local/etc/apache24'
$passenger_conf_file = 'passenger.conf'
$passenger_conf_package_file = undef
$passenger_root = '/usr/local/lib/ruby/gems/1.9/gems/passenger-4.0.10'
@@ -246,7 +316,7 @@
$suphp_engine = 'off'
$suphp_configpath = undef
$mod_packages = {
- # NOTE: I list here only modules that are not included in www/apache22
+ # NOTE: I list here only modules that are not included in www/apache24
# NOTE: 'passenger' needs to enable APACHE_SUPPORT in make config
# NOTE: 'php' needs to enable APACHE option in make config
# NOTE: 'dav_svn' needs to enable MOD_DAV_SVN make config
@@ -255,7 +325,7 @@
'fcgid' => 'www/mod_fcgid',
'passenger' => 'www/rubygem-passenger',
'perl' => 'www/mod_perl2',
- 'php5' => 'lang/php5',
+ 'php5' => 'www/mod_php5',
'proxy_html' => 'www/mod_proxy_html',
'python' => 'www/mod_python3',
'wsgi' => 'www/mod_wsgi',
@@ -275,7 +345,8 @@
$mime_support_package = 'misc/mime-support'
$mime_types_config = '/usr/local/etc/mime.types'
$wsgi_socket_prefix = undef
- $docroot = '/usr/local/www/apache22/data'
+ $docroot = '/usr/local/www/apache24/data'
+ $error_documents_path = '/usr/local/www/apache24/error'
} else {
fail("Class['apache::params']: Unsupported osfamily: ${::osfamily}")
}
diff --git a/manifests/peruser/multiplexer.pp b/manifests/peruser/multiplexer.pp
index 9e57ac30b2..97143a1d4f 100644
--- a/manifests/peruser/multiplexer.pp
+++ b/manifests/peruser/multiplexer.pp
@@ -12,6 +12,6 @@
ensure => file,
content => "Multiplexer ${user} ${group}\n",
require => File["${::apache::mod_dir}/peruser/multiplexers"],
- notify => Service['httpd'],
+ notify => Class['apache::service'],
}
}
diff --git a/manifests/peruser/processor.pp b/manifests/peruser/processor.pp
index 1d68934657..30de61d7c4 100644
--- a/manifests/peruser/processor.pp
+++ b/manifests/peruser/processor.pp
@@ -12,6 +12,6 @@
ensure => file,
content => "Processor ${user} ${group}\n",
require => File["${::apache::mod_dir}/peruser/processors"],
- notify => Service['httpd'],
+ notify => Class['apache::service'],
}
}
diff --git a/manifests/security/rule_link.pp b/manifests/security/rule_link.pp
new file mode 100644
index 0000000000..a56a2d97f0
--- /dev/null
+++ b/manifests/security/rule_link.pp
@@ -0,0 +1,13 @@
+define apache::security::rule_link () {
+
+ $parts = split($title, '/')
+ $filename = $parts[-1]
+
+ file { $filename:
+ ensure => 'link',
+ path => "${::apache::mod::security::modsec_dir}/activated_rules/${filename}",
+ target => "${::apache::params::modsec_crs_path}/${title}",
+ require => File["${::apache::mod::security::modsec_dir}/activated_rules"],
+ notify => Class['apache::service'],
+ }
+}
diff --git a/manifests/service.pp b/manifests/service.pp
index 0c1f7b96aa..d934f3d46b 100644
--- a/manifests/service.pp
+++ b/manifests/service.pp
@@ -20,12 +20,14 @@
$service_name = $::apache::params::service_name,
$service_enable = true,
$service_ensure = 'running',
+ $service_manage = true,
) {
# The base class must be included first because parameter defaults depend on it
if ! defined(Class['apache::params']) {
fail('You must include the apache::params class before using any apache defined resources')
}
validate_bool($service_enable)
+ validate_bool($service_manage)
case $service_ensure {
true, false, 'running', 'stopped': {
@@ -35,10 +37,11 @@
$_service_ensure = undef
}
}
-
- service { 'httpd':
- ensure => $_service_ensure,
- name => $service_name,
- enable => $service_enable,
+ if $service_manage {
+ service { 'httpd':
+ ensure => $_service_ensure,
+ name => $service_name,
+ enable => $service_enable,
+ }
}
}
diff --git a/manifests/version.pp b/manifests/version.pp
index dc5288dca0..7f1da0f071 100644
--- a/manifests/version.pp
+++ b/manifests/version.pp
@@ -12,21 +12,23 @@
case $::osfamily {
'RedHat': {
- if ($::operatingsystem == 'Fedora' and $distrelease >= 18) or ($::operatingsystem != 'Fedora' and $distrelease >= 7) {
+ if ($::operatingsystem == 'Fedora' and versioncmp($distrelease, '18') >= 0) or ($::operatingsystem != 'Fedora' and versioncmp($distrelease, '7') >= 0) {
$default = '2.4'
} else {
$default = '2.2'
}
}
'Debian': {
- if $::operatingsystem == 'Ubuntu' and $::operatingsystemrelease >= 13.10 {
+ if $::operatingsystem == 'Ubuntu' and versioncmp($::operatingsystemrelease, '13.10') >= 0 {
+ $default = '2.4'
+ } elsif $::operatingsystem == 'Debian' and versioncmp($distrelease, '8') >= 0 {
$default = '2.4'
} else {
$default = '2.2'
}
}
'FreeBSD': {
- $default = '2.2'
+ $default = '2.4'
}
default: {
fail("Class['apache::version']: Unsupported osfamily: ${::osfamily}")
diff --git a/manifests/vhost.pp b/manifests/vhost.pp
index 0841dfff47..b772654cf2 100644
--- a/manifests/vhost.pp
+++ b/manifests/vhost.pp
@@ -40,11 +40,12 @@
$logroot_mode = undef,
$log_level = undef,
$access_log = true,
- $access_log_file = undef,
- $access_log_pipe = undef,
- $access_log_syslog = undef,
- $access_log_format = undef,
- $access_log_env_var = undef,
+ $access_log_file = false,
+ $access_log_pipe = false,
+ $access_log_syslog = false,
+ $access_log_format = false,
+ $access_log_env_var = false,
+ $access_logs = undef,
$aliases = undef,
$directories = undef,
$error_log = true,
@@ -60,6 +61,8 @@
$suphp_addhandler = $::apache::params::suphp_addhandler,
$suphp_engine = $::apache::params::suphp_engine,
$suphp_configpath = $::apache::params::suphp_configpath,
+ $php_flags = {},
+ $php_values = {},
$php_admin_flags = {},
$php_admin_values = {},
$no_proxy_uris = [],
@@ -106,6 +109,10 @@
$passenger_start_timeout = undef,
$passenger_pre_start = undef,
$add_default_charset = undef,
+ $modsec_disable_vhost = undef,
+ $modsec_disable_ids = undef,
+ $modsec_disable_ips = undef,
+ $modsec_body_limit = undef,
) {
# The base class must be included first because it is used by parameter defaults
if ! defined(Class['apache']) {
@@ -223,11 +230,13 @@
# Configure the defaultness of a vhost
if $priority {
- $priority_real = $priority
+ $priority_real = "${priority}-"
+ } elsif $priority == false {
+ $priority_real = ''
} elsif $default_vhost {
- $priority_real = '10'
+ $priority_real = '10-'
} else {
- $priority_real = '25'
+ $priority_real = '25-'
}
## Apache include does not always work with spaces in the filename
@@ -242,7 +251,7 @@
group => $docroot_group,
mode => $docroot_mode,
require => Package['httpd'],
- before => Concat["${priority_real}-${filename}.conf"],
+ before => Concat["${priority_real}${filename}.conf"],
}
}
@@ -252,7 +261,7 @@
ensure => $logroot_ensure,
mode => $logroot_mode,
require => Package['httpd'],
- before => Concat["${priority_real}-${filename}.conf"],
+ before => Concat["${priority_real}${filename}.conf"],
}
}
@@ -263,19 +272,28 @@
# Is apache::mod::shib enabled (or apache::mod['shib2'])
$shibboleth_enabled = defined(Apache::Mod['shib2'])
- # Define log file names
- if $access_log_file {
- $access_log_destination = "${logroot}/${access_log_file}"
- } elsif $access_log_pipe {
- $access_log_destination = $access_log_pipe
- } elsif $access_log_syslog {
- $access_log_destination = $access_log_syslog
- } else {
- if $ssl {
- $access_log_destination = "${logroot}/${name}_access_ssl.log"
+ if $access_log and !$access_logs {
+ if $access_log_file {
+ $_logs_dest = "${logroot}/${access_log_file}"
+ } elsif $access_log_pipe {
+ $_logs_dest = $access_log_pipe
+ } elsif $access_log_syslog {
+ $_logs_dest = $access_log_syslog
} else {
- $access_log_destination = "${logroot}/${name}_access.log"
+ $_logs_dest = undef
+ }
+ $_access_logs = [{
+ 'file' => $access_log_file,
+ 'pipe' => $access_log_pipe,
+ 'syslog' => $access_log_syslog,
+ 'format' => $access_log_format,
+ 'env' => $access_log_env_var
+ }]
+ } elsif $access_logs {
+ if !is_array($access_logs) {
+ fail("Apache::Vhost[${name}]: access_logs must be an array of hashes")
}
+ $_access_logs = $access_logs
}
if $error_log_file {
@@ -292,17 +310,6 @@
}
}
- # Set access log format
- if $access_log_format {
- $_access_log_format = "\"${access_log_format}\""
- } else {
- $_access_log_format = 'combined'
- }
-
- if $access_log_env_var {
- $_access_log_env_var = "env=${access_log_env_var}"
- }
-
if $ip {
if $port {
$listen_addr_port = "${ip}:${port}"
@@ -385,6 +392,12 @@
}
}
+ if ($setenv and ! empty($setenv)) or ($setenvif and ! empty($setenvif)) {
+ if ! defined(Class['apache::mod::setenvif']) {
+ include ::apache::mod::setenvif
+ }
+ }
+
## Create a default directory list if none defined
if $directories {
if !is_hash($directories) and !(is_array($directories) and is_hash($directories[0])) {
@@ -414,31 +427,42 @@
$_directories = [ merge($_directory, $_directory_version) ]
}
- concat { "${priority_real}-${filename}.conf":
+ ## Create a global LocationMatch if locations aren't defined
+ if $modsec_disable_ids {
+ if is_hash($modsec_disable_ids) {
+ $_modsec_disable_ids = $modsec_disable_ids
+ } elsif is_array($modsec_disable_ids) {
+ $_modsec_disable_ids = { '.*' => $modsec_disable_ids }
+ } else {
+ fail("Apache::Vhost[${name}]: 'modsec_disable_ids' must be either a Hash of location/IDs or an Array of IDs")
+ }
+ }
+
+ concat { "${priority_real}${filename}.conf":
ensure => $ensure,
- path => "${::apache::vhost_dir}/${priority_real}-${filename}.conf",
+ path => "${::apache::vhost_dir}/${priority_real}${filename}.conf",
owner => 'root',
group => $::apache::params::root_group,
mode => '0644',
order => 'numeric',
require => Package['httpd'],
- notify => Service['httpd'],
+ notify => Class['apache::service'],
}
- if $::osfamily == 'Debian' {
+ if $::apache::vhost_enable_dir {
$vhost_enable_dir = $::apache::vhost_enable_dir
$vhost_symlink_ensure = $ensure ? {
present => link,
default => $ensure,
}
- file{ "${priority_real}-${filename}.conf symlink":
+ file{ "${priority_real}${filename}.conf symlink":
ensure => $vhost_symlink_ensure,
- path => "${vhost_enable_dir}/${priority_real}-${filename}.conf",
- target => "${::apache::vhost_dir}/${priority_real}-${filename}.conf",
+ path => "${vhost_enable_dir}/${priority_real}${filename}.conf",
+ target => "${::apache::vhost_dir}/${priority_real}${filename}.conf",
owner => 'root',
group => $::apache::params::root_group,
mode => '0644',
- require => Concat["${priority_real}-${filename}.conf"],
- notify => Service['httpd'],
+ require => Concat["${priority_real}${filename}.conf"],
+ notify => Class['apache::service'],
}
}
@@ -447,7 +471,7 @@
# - $servername
# - $serveradmin
concat::fragment { "${name}-apache-header":
- target => "${priority_real}-${filename}.conf",
+ target => "${priority_real}${filename}.conf",
order => 0,
content => template('apache/vhost/_file_header.erb'),
}
@@ -456,7 +480,7 @@
# - $virtual_docroot
# - $docroot
concat::fragment { "${name}-docroot":
- target => "${priority_real}-${filename}.conf",
+ target => "${priority_real}${filename}.conf",
order => 10,
content => template('apache/vhost/_docroot.erb'),
}
@@ -465,7 +489,7 @@
# - $aliases
if $aliases and ! empty($aliases) {
concat::fragment { "${name}-aliases":
- target => "${priority_real}-${filename}.conf",
+ target => "${priority_real}${filename}.conf",
order => 20,
content => template('apache/vhost/_aliases.erb'),
}
@@ -476,7 +500,7 @@
# - $::kernelversion
if $itk and ! empty($itk) {
concat::fragment { "${name}-itk":
- target => "${priority_real}-${filename}.conf",
+ target => "${priority_real}${filename}.conf",
order => 30,
content => template('apache/vhost/_itk.erb'),
}
@@ -486,12 +510,22 @@
# - $fallbackresource
if $fallbackresource {
concat::fragment { "${name}-fallbackresource":
- target => "${priority_real}-${filename}.conf",
+ target => "${priority_real}${filename}.conf",
order => 40,
content => template('apache/vhost/_fallbackresource.erb'),
}
}
+ # Template uses:
+ # - $allow_encoded_slashes
+ if $allow_encoded_slashes {
+ concat::fragment { "${name}-allow_encoded_slashes":
+ target => "${priority_real}${filename}.conf",
+ order => 50,
+ content => template('apache/vhost/_allow_encoded_slashes.erb'),
+ }
+ }
+
# Template uses:
# - $_directories
# - $docroot
@@ -500,8 +534,8 @@
# - $shibboleth_enabled
if $_directories and ! empty($_directories) {
concat::fragment { "${name}-directories":
- target => "${priority_real}-${filename}.conf",
- order => 50,
+ target => "${priority_real}${filename}.conf",
+ order => 60,
content => template('apache/vhost/_directories.erb'),
}
}
@@ -510,8 +544,8 @@
# - $additional_includes
if $additional_includes and ! empty($additional_includes) {
concat::fragment { "${name}-additional_includes":
- target => "${priority_real}-${filename}.conf",
- order => 60,
+ target => "${priority_real}${filename}.conf",
+ order => 70,
content => template('apache/vhost/_additional_includes.erb'),
}
}
@@ -523,16 +557,16 @@
# - $log_level
if $error_log or $log_level {
concat::fragment { "${name}-logging":
- target => "${priority_real}-${filename}.conf",
- order => 70,
+ target => "${priority_real}${filename}.conf",
+ order => 80,
content => template('apache/vhost/_logging.erb'),
}
}
# Template uses no variables
concat::fragment { "${name}-serversignature":
- target => "${priority_real}-${filename}.conf",
- order => 80,
+ target => "${priority_real}${filename}.conf",
+ order => 90,
content => template('apache/vhost/_serversignature.erb'),
}
@@ -542,10 +576,11 @@
# - $access_log_destination
# - $_access_log_format
# - $_access_log_env_var
- if $access_log {
+ # - $access_logs
+ if $access_log or $access_logs {
concat::fragment { "${name}-access_log":
- target => "${priority_real}-${filename}.conf",
- order => 90,
+ target => "${priority_real}${filename}.conf",
+ order => 100,
content => template('apache/vhost/_access_log.erb'),
}
}
@@ -554,8 +589,8 @@
# - $action
if $action {
concat::fragment { "${name}-action":
- target => "${priority_real}-${filename}.conf",
- order => 100,
+ target => "${priority_real}${filename}.conf",
+ order => 110,
content => template('apache/vhost/_action.erb'),
}
}
@@ -565,8 +600,8 @@
# - $apache_version
if $block and ! empty($block) {
concat::fragment { "${name}-block":
- target => "${priority_real}-${filename}.conf",
- order => 110,
+ target => "${priority_real}${filename}.conf",
+ order => 120,
content => template('apache/vhost/_block.erb'),
}
}
@@ -575,8 +610,8 @@
# - $error_documents
if $error_documents and ! empty($error_documents) {
concat::fragment { "${name}-error_document":
- target => "${priority_real}-${filename}.conf",
- order => 120,
+ target => "${priority_real}${filename}.conf",
+ order => 130,
content => template('apache/vhost/_error_document.erb'),
}
}
@@ -588,8 +623,8 @@
# - $no_proxy_uris
if $proxy_dest or $proxy_pass {
concat::fragment { "${name}-proxy":
- target => "${priority_real}-${filename}.conf",
- order => 130,
+ target => "${priority_real}${filename}.conf",
+ order => 140,
content => template('apache/vhost/_proxy.erb'),
}
}
@@ -598,8 +633,8 @@
# - $rack_base_uris
if $rack_base_uris {
concat::fragment { "${name}-rack":
- target => "${priority_real}-${filename}.conf",
- order => 140,
+ target => "${priority_real}${filename}.conf",
+ order => 150,
content => template('apache/vhost/_rack.erb'),
}
}
@@ -619,8 +654,8 @@
# - $redirectmatch_dest
if ($redirect_source and $redirect_dest) or ($redirectmatch_status and $redirectmatch_regexp and $redirectmatch_dest) {
concat::fragment { "${name}-redirect":
- target => "${priority_real}-${filename}.conf",
- order => 150,
+ target => "${priority_real}${filename}.conf",
+ order => 160,
content => template('apache/vhost/_redirect.erb'),
}
}
@@ -632,8 +667,8 @@
# - $rewrite_cond
if $rewrites or $rewrite_rule {
concat::fragment { "${name}-rewrite":
- target => "${priority_real}-${filename}.conf",
- order => 160,
+ target => "${priority_real}${filename}.conf",
+ order => 170,
content => template('apache/vhost/_rewrite.erb'),
}
}
@@ -643,8 +678,8 @@
# - $scriptalias
if $scriptaliases and ! empty($scriptaliases) {
concat::fragment { "${name}-scriptalias":
- target => "${priority_real}-${filename}.conf",
- order => 170,
+ target => "${priority_real}${filename}.conf",
+ order => 180,
content => template('apache/vhost/_scriptalias.erb'),
}
}
@@ -653,8 +688,8 @@
# - $serveraliases
if $serveraliases and ! empty($serveraliases) {
concat::fragment { "${name}-serveralias":
- target => "${priority_real}-${filename}.conf",
- order => 180,
+ target => "${priority_real}${filename}.conf",
+ order => 190,
content => template('apache/vhost/_serveralias.erb'),
}
}
@@ -664,8 +699,8 @@
# - $setenvif
if ($setenv and ! empty($setenv)) or ($setenvif and ! empty($setenvif)) {
concat::fragment { "${name}-setenv":
- target => "${priority_real}-${filename}.conf",
- order => 190,
+ target => "${priority_real}${filename}.conf",
+ order => 200,
content => template('apache/vhost/_setenv.erb'),
}
}
@@ -690,8 +725,8 @@
# - $apache_version
if $ssl {
concat::fragment { "${name}-ssl":
- target => "${priority_real}-${filename}.conf",
- order => 200,
+ target => "${priority_real}${filename}.conf",
+ order => 210,
content => template('apache/vhost/_ssl.erb'),
}
}
@@ -702,19 +737,30 @@
# - $suphp_configpath
if $suphp_engine == 'on' {
concat::fragment { "${name}-suphp":
- target => "${priority_real}-${filename}.conf",
- order => 210,
+ target => "${priority_real}${filename}.conf",
+ order => 220,
content => template('apache/vhost/_suphp.erb'),
}
}
+ # Template uses:
+ # - $php_values
+ # - $php_flags
+ if ($php_values and ! empty($php_values)) or ($php_flags and ! empty($php_flags)) {
+ concat::fragment { "${name}-php":
+ target => "${priority_real}${filename}.conf",
+ order => 220,
+ content => template('apache/vhost/_php.erb'),
+ }
+ }
+
# Template uses:
# - $php_admin_values
# - $php_admin_flags
if ($php_admin_values and ! empty($php_admin_values)) or ($php_admin_flags and ! empty($php_admin_flags)) {
concat::fragment { "${name}-php_admin":
- target => "${priority_real}-${filename}.conf",
- order => 220,
+ target => "${priority_real}${filename}.conf",
+ order => 230,
content => template('apache/vhost/_php_admin.erb'),
}
}
@@ -723,8 +769,8 @@
# - $headers
if $headers and ! empty($headers) {
concat::fragment { "${name}-header":
- target => "${priority_real}-${filename}.conf",
- order => 230,
+ target => "${priority_real}${filename}.conf",
+ order => 240,
content => template('apache/vhost/_header.erb'),
}
}
@@ -733,8 +779,8 @@
# - $request_headers
if $request_headers and ! empty($request_headers) {
concat::fragment { "${name}-requestheader":
- target => "${priority_real}-${filename}.conf",
- order => 240,
+ target => "${priority_real}${filename}.conf",
+ order => 250,
content => template('apache/vhost/_requestheader.erb'),
}
}
@@ -750,8 +796,8 @@
# - $wsgi_pass_authorization
if $wsgi_application_group or $wsgi_daemon_process or ($wsgi_import_script and $wsgi_import_script_options) or $wsgi_process_group or ($wsgi_script_aliases and ! empty($wsgi_script_aliases)) or $wsgi_pass_authorization {
concat::fragment { "${name}-wsgi":
- target => "${priority_real}-${filename}.conf",
- order => 250,
+ target => "${priority_real}${filename}.conf",
+ order => 260,
content => template('apache/vhost/_wsgi.erb'),
}
}
@@ -760,8 +806,8 @@
# - $custom_fragment
if $custom_fragment {
concat::fragment { "${name}-custom_fragment":
- target => "${priority_real}-${filename}.conf",
- order => 260,
+ target => "${priority_real}${filename}.conf",
+ order => 270,
content => template('apache/vhost/_custom_fragment.erb'),
}
}
@@ -773,8 +819,8 @@
# - $apache_version
if $fastcgi_server or $fastcgi_dir {
concat::fragment { "${name}-fastcgi":
- target => "${priority_real}-${filename}.conf",
- order => 270,
+ target => "${priority_real}${filename}.conf",
+ order => 280,
content => template('apache/vhost/_fastcgi.erb'),
}
}
@@ -783,8 +829,8 @@
# - $suexec_user_group
if $suexec_user_group {
concat::fragment { "${name}-suexec":
- target => "${priority_real}-${filename}.conf",
- order => 280,
+ target => "${priority_real}${filename}.conf",
+ order => 290,
content => template('apache/vhost/_suexec.erb'),
}
}
@@ -797,8 +843,8 @@
# - $passenger_pre_start
if $passenger_app_root or $passenger_ruby or $passenger_min_instances or $passenger_start_timeout or $passenger_pre_start {
concat::fragment { "${name}-passenger":
- target => "${priority_real}-${filename}.conf",
- order => 290,
+ target => "${priority_real}${filename}.conf",
+ order => 300,
content => template('apache/vhost/_passenger.erb'),
}
}
@@ -807,15 +853,28 @@
# - $add_default_charset
if $add_default_charset {
concat::fragment { "${name}-charsets":
- target => "${priority_real}-${filename}.conf",
- order => 300,
+ target => "${priority_real}${filename}.conf",
+ order => 310,
content => template('apache/vhost/_charsets.erb'),
}
}
+ # Template uses:
+ # - $modsec_disable_vhost
+ # - $modsec_disable_ids
+ # - $modsec_disable_ips
+ # - $modsec_body_limit
+ if $modsec_disable_vhost or $modsec_disable_ids or $modsec_disable_ips {
+ concat::fragment { "${name}-security":
+ target => "${priority_real}${filename}.conf",
+ order => 320,
+ content => template('apache/vhost/_security.erb')
+ }
+ }
+
# Template uses no variables
concat::fragment { "${name}-file_footer":
- target => "${priority_real}-${filename}.conf",
+ target => "${priority_real}${filename}.conf",
order => 999,
content => template('apache/vhost/_file_footer.erb'),
}
diff --git a/metadata.json b/metadata.json
index f6361a10e0..d778e3bfae 100644
--- a/metadata.json
+++ b/metadata.json
@@ -1,9 +1,9 @@
{
"name": "puppetlabs-apache",
- "version": "1.2.0",
+ "version": "1.3.0",
"author": "puppetlabs",
- "summary": "Puppet module for Apache",
- "license": "Apache 2.0",
+ "summary": "Installs, configures, and manages Apache virtual hosts, web services, and modules.",
+ "license": "Apache-2.0",
"source": "git://github.com/puppetlabs/puppetlabs-apache.git",
"project_page": "https://github.com/puppetlabs/puppetlabs-apache",
"issues_url": "https://tickets.puppetlabs.com/browse/MODULES",
diff --git a/spec/acceptance/apache_parameters_spec.rb b/spec/acceptance/apache_parameters_spec.rb
index 3a21ab0eb2..4c6fa7f56d 100644
--- a/spec/acceptance/apache_parameters_spec.rb
+++ b/spec/acceptance/apache_parameters_spec.rb
@@ -46,6 +46,7 @@
pp = <<-EOS
class { 'apache':
service_enable => true,
+ service_manage => true,
service_ensure => running,
}
EOS
@@ -75,6 +76,24 @@ class { 'apache':
end
end
+ describe 'service manage => false' do
+ it 'we dont manage the service, so it shouldnt start the service' do
+ pp = <<-EOS
+ class { 'apache':
+ service_enable => true,
+ service_manage => false,
+ service_ensure => true,
+ }
+ EOS
+ apply_manifest(pp, :catch_failures => true)
+ end
+
+ describe service($service_name) do
+ it { is_expected.not_to be_running }
+ it { is_expected.not_to be_enabled }
+ end
+ end
+
describe 'purge parameters => false' do
it 'applies cleanly' do
pp = <<-EOS
@@ -223,7 +242,7 @@ class { 'apache': httpd_dir => '/tmp', service_ensure => stopped }
describe 'confd_dir' do
describe 'setup' do
it 'applies cleanly' do
- pp = "class { 'apache': confd_dir => '/tmp/root', service_ensure => stopped }"
+ pp = "class { 'apache': confd_dir => '/tmp/root', service_ensure => stopped, use_optional_includes => true }"
apply_manifest(pp, :catch_failures => true)
end
end
@@ -339,7 +358,7 @@ class { 'apache':
describe 'setup' do
it 'applies cleanly' do
pp = <<-EOS
- if $::osfamily == 'RedHat' and $::selinux == 'true' {
+ if $::osfamily == 'RedHat' and $::selinux {
$semanage_package = $::operatingsystemmajrelease ? {
'5' => 'policycoreutils',
default => 'policycoreutils-python',
diff --git a/spec/acceptance/class_spec.rb b/spec/acceptance/class_spec.rb
index e006251cf8..76e5cd612f 100644
--- a/spec/acceptance/class_spec.rb
+++ b/spec/acceptance/class_spec.rb
@@ -9,8 +9,8 @@
package_name = 'apache2'
service_name = 'apache2'
when 'FreeBSD'
- package_name = 'apache22'
- service_name = 'apache22'
+ package_name = 'apache24'
+ service_name = 'apache24'
end
context 'default parameters' do
@@ -32,13 +32,17 @@ class { 'apache': }
it { is_expected.to be_enabled }
it { is_expected.to be_running }
end
+
+ describe port(80) do
+ it { should be_listening }
+ end
end
context 'custom site/mod dir parameters' do
# Using puppet_apply as a helper
it 'should work with no errors' do
pp = <<-EOS
- if $::osfamily == 'RedHat' and $::selinux == 'true' {
+ if $::osfamily == 'RedHat' and $::selinux {
$semanage_package = $::operatingsystemmajrelease ? {
'5' => 'policycoreutils',
default => 'policycoreutils-python',
diff --git a/spec/acceptance/custom_config_spec.rb b/spec/acceptance/custom_config_spec.rb
index fce6bb306f..8b59f703fb 100644
--- a/spec/acceptance/custom_config_spec.rb
+++ b/spec/acceptance/custom_config_spec.rb
@@ -35,4 +35,21 @@ class { 'apache': }
it { is_expected.to contain '# just a comment' }
end
end
+
+ describe 'custom_config without priority prefix' do
+ it 'applies cleanly' do
+ pp = <<-EOS
+ class { 'apache': }
+ apache::custom_config { 'prefix_test':
+ priority => false,
+ content => '# just a comment',
+ }
+ EOS
+ apply_manifest(pp, :catch_failures => true)
+ end
+
+ describe file("#{$confd_dir}/prefix_test.conf") do
+ it { is_expected.to be_file }
+ end
+ end
end
diff --git a/spec/acceptance/default_mods_spec.rb b/spec/acceptance/default_mods_spec.rb
index 2565ce77b9..f06a966af9 100644
--- a/spec/acceptance/default_mods_spec.rb
+++ b/spec/acceptance/default_mods_spec.rb
@@ -8,8 +8,8 @@
mod_dir = '/etc/apache2/mods-available'
servicename = 'apache2'
when 'FreeBSD'
- mod_dir = '/usr/local/etc/apache22/Modules'
- servicename = 'apache22'
+ mod_dir = '/usr/local/etc/apache24/Modules'
+ servicename = 'apache24'
end
describe 'apache::default_mods class', :unless => UNSUPPORTED_PLATFORMS.include?(fact('osfamily')) do
diff --git a/spec/acceptance/itk_spec.rb b/spec/acceptance/itk_spec.rb
index b810657ec3..2dde8f407e 100644
--- a/spec/acceptance/itk_spec.rb
+++ b/spec/acceptance/itk_spec.rb
@@ -4,7 +4,7 @@
when 'Debian'
service_name = 'apache2'
when 'FreeBSD'
- service_name = 'apache22'
+ service_name = 'apache24'
else
# Not implemented yet
service_name = :skip
diff --git a/spec/acceptance/mod_dav_svn_spec.rb b/spec/acceptance/mod_dav_svn_spec.rb
index 7e5afed520..10c9b77d75 100644
--- a/spec/acceptance/mod_dav_svn_spec.rb
+++ b/spec/acceptance/mod_dav_svn_spec.rb
@@ -15,8 +15,8 @@
service_name = 'httpd'
authz_svn_load_file = 'dav_svn_authz_svn.load'
when 'FreeBSD'
- mod_dir = '/usr/local/etc/apache22/Modules'
- service_name = 'apache22'
+ mod_dir = '/usr/local/etc/apache24/Modules'
+ service_name = 'apache24'
authz_svn_load_file = 'dav_svn_authz_svn.load'
end
diff --git a/spec/acceptance/mod_deflate_spec.rb b/spec/acceptance/mod_deflate_spec.rb
index 6052cc283f..668897c049 100644
--- a/spec/acceptance/mod_deflate_spec.rb
+++ b/spec/acceptance/mod_deflate_spec.rb
@@ -9,8 +9,8 @@
mod_dir = '/etc/httpd/conf.d'
service_name = 'httpd'
when 'FreeBSD'
- mod_dir = '/usr/local/etc/apache22/Modules'
- service_name = 'apache22'
+ mod_dir = '/usr/local/etc/apache24/Modules'
+ service_name = 'apache24'
end
context "default deflate config" do
diff --git a/spec/acceptance/mod_mime_spec.rb b/spec/acceptance/mod_mime_spec.rb
index ff93dbca67..6bd959ce3a 100644
--- a/spec/acceptance/mod_mime_spec.rb
+++ b/spec/acceptance/mod_mime_spec.rb
@@ -9,8 +9,8 @@
mod_dir = '/etc/httpd/conf.d'
service_name = 'httpd'
when 'FreeBSD'
- mod_dir = '/usr/local/etc/apache22/Modules'
- service_name = 'apache22'
+ mod_dir = '/usr/local/etc/apache24/Modules'
+ service_name = 'apache24'
end
context "default mime config" do
diff --git a/spec/acceptance/mod_negotiation_spec.rb b/spec/acceptance/mod_negotiation_spec.rb
index 25e4acbeae..371ab0f1d6 100644
--- a/spec/acceptance/mod_negotiation_spec.rb
+++ b/spec/acceptance/mod_negotiation_spec.rb
@@ -11,9 +11,9 @@
mod_dir = '/etc/httpd/conf.d'
service_name = 'httpd'
when 'FreeBSD'
- vhost_dir = '/usr/local/etc/apache22/Vhosts'
- mod_dir = '/usr/local/etc/apache22/Modules'
- service_name = 'apache22'
+ vhost_dir = '/usr/local/etc/apache24/Vhosts'
+ mod_dir = '/usr/local/etc/apache24/Modules'
+ service_name = 'apache24'
end
context "default negotiation config" do
diff --git a/spec/acceptance/mod_pagespeed_spec.rb b/spec/acceptance/mod_pagespeed_spec.rb
index 0bc07389da..24b6807946 100644
--- a/spec/acceptance/mod_pagespeed_spec.rb
+++ b/spec/acceptance/mod_pagespeed_spec.rb
@@ -11,9 +11,9 @@
mod_dir = '/etc/httpd/conf.d'
service_name = 'httpd'
when 'FreeBSD'
- vhost_dir = '/usr/local/etc/apache22/Vhosts'
- mod_dir = '/usr/local/etc/apache22/Modules'
- service_name = 'apache22'
+ vhost_dir = '/usr/local/etc/apache24/Vhosts'
+ mod_dir = '/usr/local/etc/apache24/Modules'
+ service_name = 'apache24'
end
context "default pagespeed config" do
diff --git a/spec/acceptance/mod_passenger_spec.rb b/spec/acceptance/mod_passenger_spec.rb
index 9a758a44ee..f6e710db01 100644
--- a/spec/acceptance/mod_passenger_spec.rb
+++ b/spec/acceptance/mod_passenger_spec.rb
@@ -31,6 +31,10 @@
when 'wheezy'
passenger_root = '/usr'
passenger_ruby = '/usr/bin/ruby'
+ when 'jessie'
+ passenger_root = '/usr/lib/ruby/vendor_ruby/phusion_passenger/locations.ini'
+ passenger_ruby = '/usr/bin/ruby'
+ passenger_default_ruby = '/usr/bin/ruby'
else
# This may or may not work on Debian releases other than the above
passenger_root = '/usr'
@@ -124,6 +128,9 @@ class { 'apache::mod::passenger': }
when 'wheezy'
it { is_expected.to contain "PassengerRuby \"#{passenger_ruby}\"" }
it { is_expected.not_to contain "/PassengerDefaultRuby/" }
+ when 'jessie'
+ it { is_expected.to contain "PassengerDefaultRuby \"#{passenger_ruby}\"" }
+ it { is_expected.not_to contain "/PassengerRuby/" }
else
# This may or may not work on Debian releases other than the above
it { is_expected.to contain "PassengerRuby \"#{passenger_ruby}\"" }
@@ -137,14 +144,15 @@ class { 'apache::mod::passenger': }
end
it 'should output status via passenger-memory-stats' do
- shell("/usr/sbin/passenger-memory-stats") do |r|
+ shell("PATH=/usr/bin:$PATH /usr/sbin/passenger-memory-stats") do |r|
expect(r.stdout).to match(/Apache processes/)
expect(r.stdout).to match(/Nginx processes/)
expect(r.stdout).to match(/Passenger processes/)
- # passenger-memory-stats output on Ubuntu 14.04 does not contain
+ # passenger-memory-stats output on newer Debian/Ubuntu verions do not contain
# these two lines
- unless fact('operatingsystem') == 'Ubuntu' && fact('operatingsystemrelease') == '14.04'
+ unless ((fact('operatingsystem') == 'Ubuntu' && fact('operatingsystemrelease') == '14.04') or
+ (fact('operatingsystem') == 'Debian' && fact('operatingsystemrelease') == '8.0'))
expect(r.stdout).to match(/### Processes: [0-9]+/)
expect(r.stdout).to match(/### Total private dirty RSS: [0-9\.]+ MB/)
end
@@ -158,7 +166,7 @@ class { 'apache::mod::passenger': }
unless fact('operatingsystem') == 'Ubuntu' && fact('operatingsystemrelease') == '12.04'
it 'should output status via passenger-status' do
# xml output not available on ubunutu <= 10.04, so sticking with default pool output
- shell("/usr/sbin/passenger-status") do |r|
+ shell("PATH=/usr/bin:$PATH /usr/sbin/passenger-status") do |r|
# spacing may vary
expect(r.stdout).to match(/[\-]+ General information [\-]+/)
if fact('operatingsystem') == 'Ubuntu' && fact('operatingsystemrelease') == '14.04'
diff --git a/spec/acceptance/mod_php_spec.rb b/spec/acceptance/mod_php_spec.rb
index a0efe7fb86..28da68d3af 100644
--- a/spec/acceptance/mod_php_spec.rb
+++ b/spec/acceptance/mod_php_spec.rb
@@ -11,9 +11,9 @@
mod_dir = '/etc/httpd/conf.d'
service_name = 'httpd'
when 'FreeBSD'
- vhost_dir = '/usr/local/etc/apache22/Vhosts'
- mod_dir = '/usr/local/etc/apache22/Modules'
- service_name = 'apache22'
+ vhost_dir = '/usr/local/etc/apache24/Vhosts'
+ mod_dir = '/usr/local/etc/apache24/Modules'
+ service_name = 'apache24'
end
context "default php config" do
@@ -53,7 +53,7 @@ class { 'apache::mod::php': }
end
end
- context "custom extensions, php_admin_flag, and php_admin_value" do
+ context "custom extensions, php_flag, php_value, php_admin_flag, and php_admin_value" do
it 'succeeds in puppeting php' do
pp= <<-EOS
class { 'apache':
@@ -65,6 +65,8 @@ class { 'apache::mod::php':
apache::vhost { 'php.example.com':
port => '80',
docroot => '/var/www/php',
+ php_values => { 'include_path' => '.:/usr/share/pear:/usr/bin/php', },
+ php_flags => { 'display_errors' => 'on', },
php_admin_values => { 'open_basedir' => '/var/www/php/:/usr/share/pear/', },
php_admin_flags => { 'engine' => 'on', },
}
@@ -83,6 +85,8 @@ class { 'apache::mod::php':
end
describe file("#{vhost_dir}/25-php.example.com.conf") do
+ it { is_expected.to contain " php_flag display_errors on" }
+ it { is_expected.to contain " php_value include_path .:/usr/share/pear:/usr/bin/php" }
it { is_expected.to contain " php_admin_flag engine on" }
it { is_expected.to contain " php_admin_value open_basedir /var/www/php/:/usr/share/pear/" }
end
diff --git a/spec/acceptance/mod_proxy_html_spec.rb b/spec/acceptance/mod_proxy_html_spec.rb
index eab162b1a3..91bb0a097c 100644
--- a/spec/acceptance/mod_proxy_html_spec.rb
+++ b/spec/acceptance/mod_proxy_html_spec.rb
@@ -7,7 +7,7 @@
when 'RedHat'
service_name = 'httpd'
when 'FreeBSD'
- service_name = 'apache22'
+ service_name = 'apache24'
end
context "default proxy_html config" do
diff --git a/spec/acceptance/mod_security_spec.rb b/spec/acceptance/mod_security_spec.rb
new file mode 100644
index 0000000000..60295787e0
--- /dev/null
+++ b/spec/acceptance/mod_security_spec.rb
@@ -0,0 +1,228 @@
+require 'spec_helper_acceptance'
+
+describe 'apache::mod::security class', :unless => (UNSUPPORTED_PLATFORMS.include?(fact('osfamily')) or (fact('osfamily') == 'Debian' and (fact('lsbdistcodename') == 'squeeze' or fact('lsbdistcodename') == 'lucid' or fact('lsbdistcodename') == 'precise'))) do
+ case fact('osfamily')
+ when 'Debian'
+ mod_dir = '/etc/apache2/mods-available'
+ service_name = 'apache2'
+ package_name = 'apache2'
+ when 'RedHat'
+ mod_dir = '/etc/httpd/conf.d'
+ service_name = 'httpd'
+ package_name = 'httpd'
+ end
+
+ context "default mod_security config" do
+ if fact('osfamily') == 'RedHat' and fact('operatingsystemmajrelease') =~ /(5|6)/
+ it 'adds epel' do
+ pp = "class { 'epel': }"
+ apply_manifest(pp, :catch_failures => true)
+ end
+ end
+
+ it 'succeeds in puppeting mod_security' do
+ pp= <<-EOS
+ host { 'modsec.example.com': ip => '127.0.0.1', }
+ class { 'apache': }
+ class { 'apache::mod::security': }
+ apache::vhost { 'modsec.example.com':
+ port => '80',
+ docroot => '/var/www/html',
+ }
+ file { '/var/www/html/index.html':
+ ensure => file,
+ content => 'Index page',
+ }
+ EOS
+ apply_manifest(pp, :catch_failures => true)
+ end
+
+ describe service(service_name) do
+ it { is_expected.to be_enabled }
+ it { is_expected.to be_running }
+ end
+
+ describe package(package_name) do
+ it { is_expected.to be_installed }
+ end
+
+ describe file("#{mod_dir}/security.conf") do
+ it { is_expected.to contain "mod_security2.c" }
+ end
+
+ it 'should return index page' do
+ shell('/usr/bin/curl -A beaker modsec.example.com:80') do |r|
+ expect(r.stdout).to match(/Index page/)
+ expect(r.exit_code).to eq(0)
+ end
+ end
+
+ it 'should block query with SQL' do
+ shell '/usr/bin/curl -A beaker -f modsec.example.com:80?SELECT%20*FROM%20mysql.users', :acceptable_exit_codes => [22]
+ end
+
+ end #default mod_security config
+
+ context "mod_security should allow disabling by vhost" do
+ it 'succeeds in puppeting mod_security' do
+ pp= <<-EOS
+ host { 'modsec.example.com': ip => '127.0.0.1', }
+ class { 'apache': }
+ class { 'apache::mod::security': }
+ apache::vhost { 'modsec.example.com':
+ port => '80',
+ docroot => '/var/www/html',
+ }
+ file { '/var/www/html/index.html':
+ ensure => file,
+ content => 'Index page',
+ }
+ EOS
+ apply_manifest(pp, :catch_failures => true)
+ end
+
+ describe service(service_name) do
+ it { is_expected.to be_enabled }
+ it { is_expected.to be_running }
+ end
+
+ describe file("#{mod_dir}/security.conf") do
+ it { is_expected.to contain "mod_security2.c" }
+ end
+
+ it 'should block query with SQL' do
+ shell '/usr/bin/curl -A beaker -f modsec.example.com:80?SELECT%20*FROM%20mysql.users', :acceptable_exit_codes => [22]
+ end
+
+ it 'should disable mod_security per vhost' do
+ pp= <<-EOS
+ class { 'apache': }
+ class { 'apache::mod::security': }
+ apache::vhost { 'modsec.example.com':
+ port => '80',
+ docroot => '/var/www/html',
+ modsec_disable_vhost => true,
+ }
+ EOS
+ apply_manifest(pp, :catch_failures => true)
+ end
+
+ it 'should return index page' do
+ shell('/usr/bin/curl -A beaker -f modsec.example.com:80?SELECT%20*FROM%20mysql.users') do |r|
+ expect(r.stdout).to match(/Index page/)
+ expect(r.exit_code).to eq(0)
+ end
+ end
+ end #mod_security should allow disabling by vhost
+
+ context "mod_security should allow disabling by ip" do
+ it 'succeeds in puppeting mod_security' do
+ pp= <<-EOS
+ host { 'modsec.example.com': ip => '127.0.0.1', }
+ class { 'apache': }
+ class { 'apache::mod::security': }
+ apache::vhost { 'modsec.example.com':
+ port => '80',
+ docroot => '/var/www/html',
+ }
+ file { '/var/www/html/index.html':
+ ensure => file,
+ content => 'Index page',
+ }
+ EOS
+ apply_manifest(pp, :catch_failures => true)
+ end
+
+ describe service(service_name) do
+ it { is_expected.to be_enabled }
+ it { is_expected.to be_running }
+ end
+
+ describe file("#{mod_dir}/security.conf") do
+ it { is_expected.to contain "mod_security2.c" }
+ end
+
+ it 'should block query with SQL' do
+ shell '/usr/bin/curl -A beaker -f modsec.example.com:80?SELECT%20*FROM%20mysql.users', :acceptable_exit_codes => [22]
+ end
+
+ it 'should disable mod_security per vhost' do
+ pp= <<-EOS
+ class { 'apache': }
+ class { 'apache::mod::security': }
+ apache::vhost { 'modsec.example.com':
+ port => '80',
+ docroot => '/var/www/html',
+ modsec_disable_ips => [ '127.0.0.1' ],
+ }
+ EOS
+ apply_manifest(pp, :catch_failures => true)
+ end
+
+ it 'should return index page' do
+ shell('/usr/bin/curl -A beaker modsec.example.com:80') do |r|
+ expect(r.stdout).to match(/Index page/)
+ expect(r.exit_code).to eq(0)
+ end
+ end
+ end #mod_security should allow disabling by ip
+
+ context "mod_security should allow disabling by id" do
+ it 'succeeds in puppeting mod_security' do
+ pp= <<-EOS
+ host { 'modsec.example.com': ip => '127.0.0.1', }
+ class { 'apache': }
+ class { 'apache::mod::security': }
+ apache::vhost { 'modsec.example.com':
+ port => '80',
+ docroot => '/var/www/html',
+ }
+ file { '/var/www/html/index.html':
+ ensure => file,
+ content => 'Index page',
+ }
+ file { '/var/www/html/index2.html':
+ ensure => file,
+ content => 'Page 2',
+ }
+ EOS
+ apply_manifest(pp, :catch_failures => true)
+ end
+
+ describe service(service_name) do
+ it { is_expected.to be_enabled }
+ it { is_expected.to be_running }
+ end
+
+ describe file("#{mod_dir}/security.conf") do
+ it { is_expected.to contain "mod_security2.c" }
+ end
+
+ it 'should block query with SQL' do
+ shell '/usr/bin/curl -A beaker -f modsec.example.com:80?SELECT%20*FROM%20mysql.users', :acceptable_exit_codes => [22]
+ end
+
+ it 'should disable mod_security per vhost' do
+ pp= <<-EOS
+ class { 'apache': }
+ class { 'apache::mod::security': }
+ apache::vhost { 'modsec.example.com':
+ port => '80',
+ docroot => '/var/www/html',
+ modsec_disable_ids => [ '950007' ],
+ }
+ EOS
+ apply_manifest(pp, :catch_failures => true)
+ end
+
+ it 'should return index page' do
+ shell('/usr/bin/curl -A beaker -f modsec.example.com:80?SELECT%20*FROM%20mysql.users') do |r|
+ expect(r.stdout).to match(/Index page/)
+ expect(r.exit_code).to eq(0)
+ end
+ end
+
+ end #mod_security should allow disabling by id
+
+
+end #apache::mod::security class
diff --git a/spec/acceptance/mod_suphp_spec.rb b/spec/acceptance/mod_suphp_spec.rb
index 1b91581441..190edfc613 100644
--- a/spec/acceptance/mod_suphp_spec.rb
+++ b/spec/acceptance/mod_suphp_spec.rb
@@ -32,6 +32,7 @@ class { 'apache::mod::suphp': }
end
it 'should answer to suphp.example.com' do
+ shell("/bin/sleep 10")
shell("/usr/bin/curl suphp.example.com:80") do |r|
expect(r.stdout).to match(/^daemon$/)
expect(r.exit_code).to eq(0)
diff --git a/spec/acceptance/nodesets/centos-70-x64.yml b/spec/acceptance/nodesets/centos-70-x64.yml
new file mode 100644
index 0000000000..2ab0052043
--- /dev/null
+++ b/spec/acceptance/nodesets/centos-70-x64.yml
@@ -0,0 +1,11 @@
+HOSTS:
+ centos-70-x64:
+ roles:
+ - master
+ platform: el-7-x86_64
+ box : puppetlabs/centos-7.0-64-nocm
+ box_url : https://vagrantcloud.com/puppetlabs/boxes/centos-7.0-64-nocm
+ hypervisor : vagrant
+CONFIG:
+ log_level: verbose
+ type: foss
diff --git a/spec/acceptance/nodesets/sles-11sp1-x64.yml b/spec/acceptance/nodesets/sles-11sp1-x64.yml
deleted file mode 100644
index a9f01d5f42..0000000000
--- a/spec/acceptance/nodesets/sles-11sp1-x64.yml
+++ /dev/null
@@ -1,11 +0,0 @@
-HOSTS:
- sles-11sp1-x64:
- roles:
- - master
- platform: sles-11-x86_64
- box : sles-11sp1-x64-vbox4210-nocm
- box_url : http://puppet-vagrant-boxes.puppetlabs.com/sles-11sp1-x64-vbox4210-nocm.box
- hypervisor : vagrant
-CONFIG:
- log_level: debug
- type: git
diff --git a/spec/acceptance/prefork_worker_spec.rb b/spec/acceptance/prefork_worker_spec.rb
index 562ff5323d..5ed8726d63 100644
--- a/spec/acceptance/prefork_worker_spec.rb
+++ b/spec/acceptance/prefork_worker_spec.rb
@@ -6,7 +6,7 @@
when 'Debian'
servicename = 'apache2'
when 'FreeBSD'
- servicename = 'apache22'
+ servicename = 'apache24'
end
case fact('osfamily')
diff --git a/spec/acceptance/version.rb b/spec/acceptance/version.rb
index b88412b42f..098b0f41c3 100644
--- a/spec/acceptance/version.rb
+++ b/spec/acceptance/version.rb
@@ -38,19 +38,21 @@
if _operatingsystem == 'Ubuntu' and _operatingsystemrelease >= 13.10
$apache_version = '2.4'
+ elsif _operatingsystem == 'Debian' and _operatingsystemrelease >= 8.0
+ $apache_version = '2.4'
else
$apache_version = '2.2'
end
when 'FreeBSD'
- $confd_dir = '/usr/local/etc/apache22/Includes'
- $mod_dir = '/usr/local/etc/apache22/Modules'
- $conf_file = '/usr/local/etc/apache22/httpd.conf'
- $ports_file = '/usr/local/etc/apache22/Includes/ports.conf'
- $vhost = '/usr/local/etc/apache22/Vhosts/15-default.conf'
- $vhost_dir = '/usr/local/etc/apache22/Vhosts'
- $run_dir = '/var/run/apache22'
- $service_name = 'apache22'
- $package_name = 'apache22'
+ $confd_dir = '/usr/local/etc/apache24/Includes'
+ $mod_dir = '/usr/local/etc/apache24/Modules'
+ $conf_file = '/usr/local/etc/apache24/httpd.conf'
+ $ports_file = '/usr/local/etc/apache24/Includes/ports.conf'
+ $vhost = '/usr/local/etc/apache24/Vhosts/15-default.conf'
+ $vhost_dir = '/usr/local/etc/apache24/Vhosts'
+ $run_dir = '/var/run/apache24'
+ $service_name = 'apache24'
+ $package_name = 'apache24'
$error_log = 'http-error.log'
$apache_version = '2.2'
diff --git a/spec/acceptance/vhost_spec.rb b/spec/acceptance/vhost_spec.rb
index 483b74945c..ce504cc3a3 100644
--- a/spec/acceptance/vhost_spec.rb
+++ b/spec/acceptance/vhost_spec.rb
@@ -761,6 +761,34 @@ class { 'apache': }
end
end
+ describe 'multiple access_logs' do
+ it 'applies cleanly' do
+ pp = <<-EOS
+ class { 'apache': }
+ host { 'test.server': ip => '127.0.0.1' }
+ apache::vhost { 'test.server':
+ docroot => '/tmp',
+ logroot => '/tmp',
+ access_logs => [
+ {'file' => 'log1'},
+ {'file' => 'log2', 'env' => 'admin' },
+ {'file' => '/var/tmp/log3', 'format' => '%h %l'},
+ {'syslog' => 'syslog' }
+ ]
+ }
+ EOS
+ apply_manifest(pp, :catch_failures => true)
+ end
+
+ describe file("#{$vhost_dir}/25-test.server.conf") do
+ it { is_expected.to be_file }
+ it { is_expected.to contain 'CustomLog "/tmp/log1" combined' }
+ it { is_expected.to contain 'CustomLog "/tmp/log2" combined env=admin' }
+ it { is_expected.to contain 'CustomLog "/var/tmp/log3" "%h %l"' }
+ it { is_expected.to contain 'CustomLog "syslog" combined' }
+ end
+ end
+
describe 'aliases' do
it 'applies cleanly' do
pp = <<-EOS
@@ -1187,7 +1215,7 @@ class { 'apache::mod::fastcgi': }
describe 'additional_includes' do
it 'applies cleanly' do
pp = <<-EOS
- if $::osfamily == 'RedHat' and $::selinux == 'true' {
+ if $::osfamily == 'RedHat' and $::selinux {
$semanage_package = $::operatingsystemmajrelease ? {
'5' => 'policycoreutils',
default => 'policycoreutils-python',
@@ -1223,4 +1251,20 @@ class { 'apache': }
end
end
+ describe 'virtualhost without priority prefix' do
+ it 'applies cleanly' do
+ pp = <<-EOS
+ class { 'apache': }
+ apache::vhost { 'test.server':
+ priority => false,
+ docroot => '/tmp'
+ }
+ EOS
+ apply_manifest(pp, :catch_failures => true)
+ end
+
+ describe file("#{$vhost_dir}/test.server.conf") do
+ it { is_expected.to be_file }
+ end
+ end
end
diff --git a/spec/classes/apache_spec.rb b/spec/classes/apache_spec.rb
index fe61a9796b..ebe267d7ad 100644
--- a/spec/classes/apache_spec.rb
+++ b/spec/classes/apache_spec.rb
@@ -12,6 +12,7 @@
:operatingsystemrelease => '6',
:path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin',
:concat_basedir => '/dne',
+ :is_pe => false,
}
end
it { is_expected.to contain_class("apache::params") }
@@ -92,7 +93,10 @@
context "with Apache version >= 2.4" do
let :params do
- { :apache_version => '2.4' }
+ {
+ :apache_version => '2.4',
+ :use_optional_includes => true
+ }
end
it { is_expected.to contain_file("/etc/apache2/apache2.conf").with_content %r{^IncludeOptional "/etc/apache2/conf\.d/\*\.conf"$} }
@@ -218,6 +222,7 @@
:operatingsystemrelease => '5',
:concat_basedir => '/dne',
:path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin',
+ :is_pe => false,
}
end
it { is_expected.to contain_class("apache::params") }
@@ -315,7 +320,10 @@
context "with Apache version >= 2.4" do
let :params do
- { :apache_version => '2.4' }
+ {
+ :apache_version => '2.4',
+ :use_optional_includes => true
+ }
end
it { is_expected.to contain_file("/etc/httpd/conf/httpd.conf").with_content %r{^IncludeOptional "/etc/httpd/conf\.d/\*\.conf"$} }
@@ -488,6 +496,42 @@
it { is_expected.to contain_file("/etc/httpd/conf/httpd.conf").with_content %r{^EnableSendfile Off\n} }
end
end
+ context "on Fedora" do
+ let :facts do
+ super().merge({
+ :operatingsystem => 'Fedora'
+ })
+ end
+
+ context "21" do
+ let :facts do
+ super().merge({
+ :lsbdistrelease => '21',
+ :operatingsystemrelease => '21'
+ })
+ end
+ it { is_expected.to contain_class('apache').with_apache_version('2.4') }
+ end
+ context "Rawhide" do
+ let :facts do
+ super().merge({
+ :lsbdistrelease => 'Rawhide',
+ :operatingsystemrelease => 'Rawhide'
+ })
+ end
+ it { is_expected.to contain_class('apache').with_apache_version('2.4') }
+ end
+ # kinda obsolete
+ context "17" do
+ let :facts do
+ super().merge({
+ :lsbdistrelease => '17',
+ :operatingsystemrelease => '17'
+ })
+ end
+ it { is_expected.to contain_class('apache').with_apache_version('2.2') }
+ end
+ end
end
context "on a FreeBSD OS" do
let :facts do
@@ -496,9 +540,10 @@
:kernel => 'FreeBSD',
:osfamily => 'FreeBSD',
:operatingsystem => 'FreeBSD',
- :operatingsystemrelease => '9',
+ :operatingsystemrelease => '10',
:concat_basedir => '/dne',
:path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin',
+ :is_pe => false,
}
end
it { is_expected.to contain_class("apache::params") }
@@ -506,25 +551,25 @@
it { is_expected.to contain_user("www") }
it { is_expected.to contain_group("www") }
it { is_expected.to contain_class("apache::service") }
- it { is_expected.to contain_file("/usr/local/www/apache22/data").with(
+ it { is_expected.to contain_file("/usr/local/www/apache24/data").with(
'ensure' => 'directory'
)
}
- it { is_expected.to contain_file("/usr/local/etc/apache22/Vhosts").with(
+ it { is_expected.to contain_file("/usr/local/etc/apache24/Vhosts").with(
'ensure' => 'directory',
'recurse' => 'true',
'purge' => 'true',
'notify' => 'Class[Apache::Service]',
'require' => 'Package[httpd]'
) }
- it { is_expected.to contain_file("/usr/local/etc/apache22/Modules").with(
+ it { is_expected.to contain_file("/usr/local/etc/apache24/Modules").with(
'ensure' => 'directory',
'recurse' => 'true',
'purge' => 'true',
'notify' => 'Class[Apache::Service]',
'require' => 'Package[httpd]'
) }
- it { is_expected.to contain_concat("/usr/local/etc/apache22/ports.conf").with(
+ it { is_expected.to contain_concat("/usr/local/etc/apache24/ports.conf").with(
'owner' => 'root',
'group' => 'wheel',
'mode' => '0644',
@@ -534,7 +579,6 @@
[
'auth_basic',
'authn_file',
- 'authz_default',
'authz_groupfile',
'authz_host',
'authz_user',
@@ -542,7 +586,7 @@
'env'
].each do |modname|
it { is_expected.to contain_file("#{modname}.load").with(
- 'path' => "/usr/local/etc/apache22/Modules/#{modname}.load",
+ 'path' => "/usr/local/etc/apache24/Modules/#{modname}.load",
'ensure' => 'file'
) }
it { is_expected.not_to contain_file("#{modname}.conf") }
@@ -560,11 +604,11 @@
'setenvif',
].each do |modname|
it { is_expected.to contain_file("#{modname}.load").with(
- 'path' => "/usr/local/etc/apache22/Modules/#{modname}.load",
+ 'path' => "/usr/local/etc/apache24/Modules/#{modname}.load",
'ensure' => 'file'
) }
it { is_expected.to contain_file("#{modname}.conf").with(
- 'path' => "/usr/local/etc/apache22/Modules/#{modname}.conf",
+ 'path' => "/usr/local/etc/apache24/Modules/#{modname}.conf",
'ensure' => 'file'
) }
end
@@ -579,6 +623,7 @@
:operatingsystemrelease => '6',
:concat_basedir => '/dne',
:path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin',
+ :is_pe => false,
}
end
context 'with a custom apache_name parameter' do
@@ -617,6 +662,7 @@
{ :osfamily => 'Darwin',
:operatingsystemrelease => '13.1.0',
:concat_basedir => '/dne',
+ :is_pe => false,
}
end
diff --git a/spec/classes/dev_spec.rb b/spec/classes/dev_spec.rb
index df342d40e8..83292b1b15 100644
--- a/spec/classes/dev_spec.rb
+++ b/spec/classes/dev_spec.rb
@@ -8,6 +8,7 @@
:osfamily => 'Debian',
:operatingsystem => 'Debian',
:operatingsystemrelease => '6',
+ :is_pe => false,
}
end
it { is_expected.to contain_class("apache::params") }
@@ -21,6 +22,7 @@
:osfamily => 'RedHat',
:operatingsystem => 'RedHat',
:operatingsystemrelease => '6',
+ :is_pe => false,
}
end
it { is_expected.to contain_class("apache::params") }
@@ -35,6 +37,7 @@
:osfamily => 'FreeBSD',
:operatingsystem => 'FreeBSD',
:operatingsystemrelease => '9',
+ :is_pe => false,
}
end
it { is_expected.to contain_class("apache::params") }
diff --git a/spec/classes/mod/alias_spec.rb b/spec/classes/mod/alias_spec.rb
new file mode 100644
index 0000000000..151c37e65a
--- /dev/null
+++ b/spec/classes/mod/alias_spec.rb
@@ -0,0 +1,72 @@
+require 'spec_helper'
+
+describe 'apache::mod::alias', :type => :class do
+ let :pre_condition do
+ 'include apache'
+ end
+ context "on a Debian OS", :compile do
+ let :facts do
+ {
+ :id => 'root',
+ :kernel => 'Linux',
+ :lsbdistcodename => 'squeeze',
+ :osfamily => 'Debian',
+ :operatingsystem => 'Debian',
+ :operatingsystemrelease => '6',
+ :path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin',
+ :concat_basedir => '/dne',
+ :is_pe => false,
+ }
+ end
+ it { is_expected.to contain_apache__mod("alias") }
+ it { is_expected.to contain_file("alias.conf").with(:content => /Alias \/icons\/ "\/usr\/share\/apache2\/icons\/"/) }
+ end
+ context "on a RedHat 6-based OS", :compile do
+ let :facts do
+ {
+ :id => 'root',
+ :kernel => 'Linux',
+ :osfamily => 'RedHat',
+ :operatingsystem => 'RedHat',
+ :operatingsystemrelease => '6',
+ :path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin',
+ :concat_basedir => '/dne',
+ :is_pe => false,
+ }
+ end
+ it { is_expected.to contain_apache__mod("alias") }
+ it { is_expected.to contain_file("alias.conf").with(:content => /Alias \/icons\/ "\/var\/www\/icons\/"/) }
+ end
+ context "on a RedHat 7-based OS", :compile do
+ let :facts do
+ {
+ :id => 'root',
+ :kernel => 'Linux',
+ :osfamily => 'RedHat',
+ :operatingsystem => 'RedHat',
+ :operatingsystemrelease => '7',
+ :path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin',
+ :concat_basedir => '/dne',
+ :is_pe => false,
+ }
+ end
+ it { is_expected.to contain_apache__mod("alias") }
+ it { is_expected.to contain_file("alias.conf").with(:content => /Alias \/icons\/ "\/usr\/share\/httpd\/icons\/"/) }
+ end
+ context "on a FreeBSD OS", :compile do
+ let :facts do
+ {
+ :id => 'root',
+ :kernel => 'FreeBSD',
+ :osfamily => 'FreeBSD',
+ :operatingsystem => 'FreeBSD',
+ :operatingsystemrelease => '10',
+ :path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin',
+ :concat_basedir => '/dne',
+ :is_pe => false,
+ }
+ end
+ it { is_expected.to contain_apache__mod("alias") }
+ it { is_expected.to contain_file("alias.conf").with(:content => /Alias \/icons\/ "\/usr\/local\/www\/apache24\/icons\/"/) }
+ end
+end
diff --git a/spec/classes/mod/auth_cas_spec.rb b/spec/classes/mod/auth_cas_spec.rb
new file mode 100644
index 0000000000..53c13c5a12
--- /dev/null
+++ b/spec/classes/mod/auth_cas_spec.rb
@@ -0,0 +1,54 @@
+require 'spec_helper'
+
+describe 'apache::mod::auth_cas', :type => :class do
+ let :params do
+ {
+ :cas_login_url => 'https://cas.example.com/login',
+ :cas_validate_url => 'https://cas.example.com/validate',
+ }
+ end
+
+ let :pre_condition do
+ 'include ::apache'
+ end
+
+ context "on a Debian OS", :compile do
+ let :facts do
+ {
+ :id => 'root',
+ :kernel => 'Linux',
+ :lsbdistcodename => 'squeeze',
+ :osfamily => 'Debian',
+ :operatingsystem => 'Debian',
+ :operatingsystemrelease => '6',
+ :path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin',
+ :concat_basedir => '/dne',
+ :is_pe => false,
+ }
+ end
+ it { is_expected.to contain_class("apache::params") }
+ it { is_expected.to contain_apache__mod("auth_cas") }
+ it { is_expected.to contain_package("libapache2-mod-auth-cas") }
+ it { is_expected.to contain_file("auth_cas.conf").with_path('/etc/apache2/mods-available/auth_cas.conf') }
+ it { is_expected.to contain_file("/var/cache/apache2/mod_auth_cas/").with_owner('www-data') }
+ end
+ context "on a RedHat OS", :compile do
+ let :facts do
+ {
+ :id => 'root',
+ :kernel => 'Linux',
+ :osfamily => 'RedHat',
+ :operatingsystem => 'RedHat',
+ :operatingsystemrelease => '6',
+ :path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin',
+ :concat_basedir => '/dne',
+ :is_pe => false,
+ }
+ end
+ it { is_expected.to contain_class("apache::params") }
+ it { is_expected.to contain_apache__mod("auth_cas") }
+ it { is_expected.to contain_package("mod_auth_cas") }
+ it { is_expected.to contain_file("auth_cas.conf").with_path('/etc/httpd/conf.d/auth_cas.conf') }
+ it { is_expected.to contain_file("/var/cache/mod_auth_cas/").with_owner('apache') }
+ end
+end
diff --git a/spec/classes/mod/auth_kerb_spec.rb b/spec/classes/mod/auth_kerb_spec.rb
index 1706bfb8d3..8f82ff4dd4 100644
--- a/spec/classes/mod/auth_kerb_spec.rb
+++ b/spec/classes/mod/auth_kerb_spec.rb
@@ -15,6 +15,7 @@
:operatingsystemrelease => '6',
:path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin',
:concat_basedir => '/dne',
+ :is_pe => false,
}
end
it { is_expected.to contain_class("apache::params") }
@@ -31,6 +32,7 @@
:operatingsystemrelease => '6',
:path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin',
:concat_basedir => '/dne',
+ :is_pe => false,
}
end
it { is_expected.to contain_class("apache::params") }
@@ -47,6 +49,7 @@
:operatingsystemrelease => '9',
:path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin',
:concat_basedir => '/dne',
+ :is_pe => false,
}
end
it { is_expected.to contain_class("apache::params") }
diff --git a/spec/classes/mod/authnz_ldap_spec.rb b/spec/classes/mod/authnz_ldap_spec.rb
index a0a913a6e2..f897833996 100644
--- a/spec/classes/mod/authnz_ldap_spec.rb
+++ b/spec/classes/mod/authnz_ldap_spec.rb
@@ -16,6 +16,7 @@
:kernel => 'Linux',
:operatingsystem => 'Debian',
:path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin',
+ :is_pe => false,
}
end
it { is_expected.to contain_class("apache::params") }
@@ -49,6 +50,7 @@
:kernel => 'Linux',
:operatingsystem => 'RedHat',
:path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin',
+ :is_pe => false,
}
end
it { is_expected.to contain_class("apache::params") }
diff --git a/spec/classes/mod/dav_svn_spec.rb b/spec/classes/mod/dav_svn_spec.rb
index 95abef9948..791baae03c 100644
--- a/spec/classes/mod/dav_svn_spec.rb
+++ b/spec/classes/mod/dav_svn_spec.rb
@@ -16,6 +16,7 @@
:id => 'root',
:kernel => 'Linux',
:path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin',
+ :is_pe => false,
}
end
it { is_expected.to contain_class("apache::params") }
@@ -33,6 +34,7 @@
:id => 'root',
:kernel => 'Linux',
:path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin',
+ :is_pe => false,
}
end
it { is_expected.to contain_class("apache::params") }
@@ -50,6 +52,7 @@
:id => 'root',
:kernel => 'Linux',
:path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin',
+ :is_pe => false,
}
end
it { is_expected.to contain_class("apache::params") }
diff --git a/spec/classes/mod/deflate_spec.rb b/spec/classes/mod/deflate_spec.rb
index c61010f28a..2eb6f5e8ad 100644
--- a/spec/classes/mod/deflate_spec.rb
+++ b/spec/classes/mod/deflate_spec.rb
@@ -41,6 +41,7 @@ class { "apache::mod::deflate":
:operatingsystemrelease => '6',
:path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin',
:concat_basedir => '/dne',
+ :is_pe => false,
}
end
@@ -67,6 +68,7 @@ class { "apache::mod::deflate":
:operatingsystemrelease => '6',
:path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin',
:concat_basedir => '/dne',
+ :is_pe => false,
}
end
@@ -86,6 +88,7 @@ class { "apache::mod::deflate":
:operatingsystemrelease => '9',
:path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin',
:concat_basedir => '/dne',
+ :is_pe => false,
}
end
@@ -94,7 +97,7 @@ class { "apache::mod::deflate":
it { is_expected.to contain_file("deflate.conf").with({
:ensure => 'file',
- :path => '/usr/local/etc/apache22/Modules/deflate.conf',
+ :path => '/usr/local/etc/apache24/Modules/deflate.conf',
} ) }
end
end
diff --git a/spec/classes/mod/dev_spec.rb b/spec/classes/mod/dev_spec.rb
index 84d80e344a..f653389776 100644
--- a/spec/classes/mod/dev_spec.rb
+++ b/spec/classes/mod/dev_spec.rb
@@ -18,6 +18,7 @@
:osfamily => osfamily,
:operatingsystem => osfamily,
:operatingsystemrelease => operatingsystemrelease,
+ :is_pe => false,
}
end
it { is_expected.to contain_class('apache::dev') }
diff --git a/spec/classes/mod/dir_spec.rb b/spec/classes/mod/dir_spec.rb
index 1efed2fe79..8aec59fed0 100644
--- a/spec/classes/mod/dir_spec.rb
+++ b/spec/classes/mod/dir_spec.rb
@@ -17,6 +17,7 @@
:kernel => 'Linux',
:path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin',
:lsbdistcodename => 'squeeze',
+ :is_pe => false,
}
end
context "passing no parameters" do
@@ -48,6 +49,7 @@
:id => 'root',
:kernel => 'Linux',
:path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin',
+ :is_pe => false,
}
end
context "passing no parameters" do
@@ -79,6 +81,7 @@
:id => 'root',
:kernel => 'FreeBSD',
:path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin',
+ :is_pe => false,
}
end
context "passing no parameters" do
diff --git a/spec/classes/mod/event_spec.rb b/spec/classes/mod/event_spec.rb
index 3061ca9b1f..796b6c3931 100644
--- a/spec/classes/mod/event_spec.rb
+++ b/spec/classes/mod/event_spec.rb
@@ -14,11 +14,12 @@
:id => 'root',
:kernel => 'FreeBSD',
:path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin',
+ :is_pe => false,
}
end
it { is_expected.to contain_class("apache::params") }
it { is_expected.not_to contain_apache__mod('event') }
- it { is_expected.to contain_file("/usr/local/etc/apache22/Modules/event.conf").with_ensure('file') }
+ it { is_expected.to contain_file("/usr/local/etc/apache24/Modules/event.conf").with_ensure('file') }
end
context "on a Debian OS" do
let :facts do
@@ -31,14 +32,46 @@
:id => 'root',
:kernel => 'Linux',
:path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin',
+ :is_pe => false,
}
end
+
it { is_expected.to contain_class("apache::params") }
it { is_expected.not_to contain_apache__mod('event') }
it { is_expected.to contain_file("/etc/apache2/mods-available/event.conf").with_ensure('file') }
it { is_expected.to contain_file("/etc/apache2/mods-enabled/event.conf").with_ensure('link') }
+ context "Test mpm_event params" do
+ let :params do
+ {
+ :serverlimit => '0',
+ :startservers => '1',
+ :maxclients => '2',
+ :minsparethreads => '3',
+ :maxsparethreads => '4',
+ :threadsperchild => '5',
+ :maxrequestsperchild => '6',
+ :threadlimit => '7',
+ :listenbacklog => '8',
+ :maxrequestworkers => '9',
+ :maxconnectionsperchild => '10',
+ }
+ end
+
+ it { is_expected.to contain_file("/etc/apache2/mods-available/event.conf").with_ensure('file').with_content(/^\s*ServerLimit\s*0/) }
+ it { is_expected.to contain_file("/etc/apache2/mods-available/event.conf").with_ensure('file').with_content(/^\s*StartServers\s*1/) }
+ it { is_expected.to contain_file("/etc/apache2/mods-available/event.conf").with_ensure('file').with_content(/^\s*MaxClients\s*2/) }
+ it { is_expected.to contain_file("/etc/apache2/mods-available/event.conf").with_ensure('file').with_content(/^\s*MinSpareThreads\s*3/) }
+ it { is_expected.to contain_file("/etc/apache2/mods-available/event.conf").with_ensure('file').with_content(/^\s*MaxSpareThreads\s*4/) }
+ it { is_expected.to contain_file("/etc/apache2/mods-available/event.conf").with_ensure('file').with_content(/^\s*ThreadsPerChild\s*5/) }
+ it { is_expected.to contain_file("/etc/apache2/mods-available/event.conf").with_ensure('file').with_content(/^\s*MaxRequestsPerChild\s*6/) }
+ it { is_expected.to contain_file("/etc/apache2/mods-available/event.conf").with_ensure('file').with_content(/^\s*ThreadLimit\s*7/) }
+ it { is_expected.to contain_file("/etc/apache2/mods-available/event.conf").with_ensure('file').with_content(/^\s*ListenBacklog\s*8/) }
+ it { is_expected.to contain_file("/etc/apache2/mods-available/event.conf").with_ensure('file').with_content(/^\s*MaxRequestWorkers\s*9/) }
+ it { is_expected.to contain_file("/etc/apache2/mods-available/event.conf").with_ensure('file').with_content(/^\s*MaxConnectionsPerChild\s*10/) }
+ end
+
context "with Apache version < 2.4" do
let :params do
{
@@ -77,6 +110,7 @@
:id => 'root',
:kernel => 'Linux',
:path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin',
+ :is_pe => false,
}
end
diff --git a/spec/classes/mod/fastcgi_spec.rb b/spec/classes/mod/fastcgi_spec.rb
index 126c5cc3ef..e204bb7460 100644
--- a/spec/classes/mod/fastcgi_spec.rb
+++ b/spec/classes/mod/fastcgi_spec.rb
@@ -15,6 +15,7 @@
:id => 'root',
:kernel => 'Linux',
:path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin',
+ :is_pe => false,
}
end
it { is_expected.to contain_class("apache::params") }
@@ -33,6 +34,7 @@
:id => 'root',
:kernel => 'Linux',
:path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin',
+ :is_pe => false,
}
end
it { is_expected.to contain_class("apache::params") }
diff --git a/spec/classes/mod/fcgid_spec.rb b/spec/classes/mod/fcgid_spec.rb
index a342e58135..214ec75bea 100644
--- a/spec/classes/mod/fcgid_spec.rb
+++ b/spec/classes/mod/fcgid_spec.rb
@@ -17,6 +17,7 @@
:id => 'root',
:kernel => 'Linux',
:path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin',
+ :is_pe => false,
}
end
it { is_expected.to contain_class("apache::params") }
@@ -35,6 +36,7 @@
:id => 'root',
:kernel => 'Linux',
:path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin',
+ :is_pe => false,
}
end
@@ -79,6 +81,7 @@
:id => 'root',
:kernel => 'Linux',
:path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin',
+ :is_pe => false,
}
end
@@ -103,6 +106,7 @@
:id => 'root',
:kernel => 'FreeBSD',
:path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin',
+ :is_pe => false,
}
end
diff --git a/spec/classes/mod/info_spec.rb b/spec/classes/mod/info_spec.rb
index 20ed127dcb..32c6339dd9 100644
--- a/spec/classes/mod/info_spec.rb
+++ b/spec/classes/mod/info_spec.rb
@@ -1,5 +1,5 @@
# This function is called inside the OS specific contexts
-def general_info_specs
+def general_info_specs_22
it { is_expected.to contain_apache__mod('info') }
context 'passing no parameters' do
@@ -62,6 +62,62 @@ def general_info_specs
end
end
+def general_info_specs_24
+ it { is_expected.to contain_apache__mod('info') }
+
+ context 'passing no parameters' do
+ it {
+ is_expected.to contain_file('info.conf').with_content(
+ "\n"\
+ " SetHandler server-info\n"\
+ " Require ip 127.0.0.1 ::1\n"\
+ "\n"
+ )
+ }
+ end
+ context 'passing restrict_access => false' do
+ let :params do {
+ :restrict_access => false
+ }
+ end
+ it {
+ is_expected.to contain_file('info.conf').with_content(
+ "\n"\
+ " SetHandler server-info\n"\
+ "\n"
+ )
+ }
+ end
+ context "passing allow_from => ['10.10.1.2', '192.168.1.2', '127.0.0.1']" do
+ let :params do
+ {:allow_from => ['10.10.1.2', '192.168.1.2', '127.0.0.1']}
+ end
+ it {
+ is_expected.to contain_file('info.conf').with_content(
+ "\n"\
+ " SetHandler server-info\n"\
+ " Require ip 10.10.1.2 192.168.1.2 127.0.0.1\n"\
+ "\n"
+ )
+ }
+ end
+ context 'passing both restrict_access and allow_from' do
+ let :params do
+ {
+ :restrict_access => false,
+ :allow_from => ['10.10.1.2', '192.168.1.2', '127.0.0.1']
+ }
+ end
+ it {
+ is_expected.to contain_file('info.conf').with_content(
+ "\n"\
+ " SetHandler server-info\n"\
+ "\n"
+ )
+ }
+ end
+end
+
describe 'apache::mod::info', :type => :class do
let :pre_condition do
"class { 'apache': default_mods => false, }"
@@ -78,11 +134,12 @@ def general_info_specs
:id => 'root',
:kernel => 'Linux',
:path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin',
+ :is_pe => false,
}
end
# Load the more generic tests for this context
- general_info_specs()
+ general_info_specs_22()
it { is_expected.to contain_file('info.conf').with({
:ensure => 'file',
@@ -104,11 +161,12 @@ def general_info_specs
:id => 'root',
:kernel => 'Linux',
:path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin',
+ :is_pe => false,
}
end
# Load the more generic tests for this context
- general_info_specs()
+ general_info_specs_22()
it { is_expected.to contain_file('info.conf').with({
:ensure => 'file',
@@ -120,21 +178,22 @@ def general_info_specs
let :facts do
{
:osfamily => 'FreeBSD',
- :operatingsystemrelease => '9',
+ :operatingsystemrelease => '10',
:concat_basedir => '/dne',
:operatingsystem => 'FreeBSD',
:id => 'root',
:kernel => 'FreeBSD',
:path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin',
+ :is_pe => false,
}
end
# Load the more generic tests for this context
- general_info_specs()
+ general_info_specs_24()
it { is_expected.to contain_file('info.conf').with({
:ensure => 'file',
- :path => '/usr/local/etc/apache22/Modules/info.conf',
+ :path => '/usr/local/etc/apache24/Modules/info.conf',
} ) }
end
diff --git a/spec/classes/mod/itk_spec.rb b/spec/classes/mod/itk_spec.rb
index b5d50a18af..1644408761 100644
--- a/spec/classes/mod/itk_spec.rb
+++ b/spec/classes/mod/itk_spec.rb
@@ -15,6 +15,7 @@
:id => 'root',
:kernel => 'Linux',
:path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin',
+ :is_pe => false,
}
end
it { is_expected.to contain_class("apache::params") }
@@ -54,16 +55,19 @@
let :facts do
{
:osfamily => 'FreeBSD',
- :operatingsystemrelease => '9',
+ :operatingsystemrelease => '10',
:concat_basedir => '/dne',
:operatingsystem => 'FreeBSD',
:id => 'root',
:kernel => 'FreeBSD',
:path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin',
+ :is_pe => false,
+ :mpm_module => 'itk',
}
end
it { is_expected.to contain_class("apache::params") }
it { is_expected.not_to contain_apache__mod('itk') }
- it { is_expected.to contain_file("/usr/local/etc/apache22/Modules/itk.conf").with_ensure('file') }
+ it { is_expected.to contain_file("/usr/local/etc/apache24/Modules/itk.conf").with_ensure('file') }
+ it { is_expected.to contain_package("www/mod_mpm_itk") }
end
end
diff --git a/spec/classes/mod/mime_magic_spec.rb b/spec/classes/mod/mime_magic_spec.rb
index 5e78230e28..f846ce386b 100644
--- a/spec/classes/mod/mime_magic_spec.rb
+++ b/spec/classes/mod/mime_magic_spec.rb
@@ -21,6 +21,7 @@ def general_mime_magic_specs
:id => 'root',
:kernel => 'Linux',
:path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin',
+ :is_pe => false,
}
end
@@ -65,6 +66,7 @@ def general_mime_magic_specs
:id => 'root',
:kernel => 'Linux',
:path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin',
+ :is_pe => false,
}
end
@@ -91,6 +93,7 @@ def general_mime_magic_specs
:id => 'root',
:kernel => 'Linux',
:path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin',
+ :is_pe => false,
}
end
diff --git a/spec/classes/mod/mime_spec.rb b/spec/classes/mod/mime_spec.rb
index 32edbc4b02..3c7ad88d18 100644
--- a/spec/classes/mod/mime_spec.rb
+++ b/spec/classes/mod/mime_spec.rb
@@ -21,6 +21,7 @@ def general_mime_specs
:id => 'root',
:kernel => 'Linux',
:path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin',
+ :is_pe => false,
}
end
@@ -40,6 +41,7 @@ def general_mime_specs
:id => 'root',
:kernel => 'Linux',
:path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin',
+ :is_pe => false,
}
end
diff --git a/spec/classes/mod/negotiation_spec.rb b/spec/classes/mod/negotiation_spec.rb
index d01442cb9a..813e76def0 100644
--- a/spec/classes/mod/negotiation_spec.rb
+++ b/spec/classes/mod/negotiation_spec.rb
@@ -13,6 +13,7 @@
:concat_basedir => '/dne',
:id => 'root',
:path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin',
+ :is_pe => false,
}
end
diff --git a/spec/classes/mod/pagespeed_spec.rb b/spec/classes/mod/pagespeed_spec.rb
index c4abd3e100..c3f5a41447 100644
--- a/spec/classes/mod/pagespeed_spec.rb
+++ b/spec/classes/mod/pagespeed_spec.rb
@@ -15,6 +15,7 @@
:id => 'root',
:kernel => 'Linux',
:path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin',
+ :is_pe => false,
}
end
it { is_expected.to contain_class("apache::params") }
@@ -33,6 +34,7 @@
:id => 'root',
:kernel => 'Linux',
:path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin',
+ :is_pe => false,
}
end
it { is_expected.to contain_class("apache::params") }
diff --git a/spec/classes/mod/passenger_spec.rb b/spec/classes/mod/passenger_spec.rb
index 23154014a4..9c9935939e 100644
--- a/spec/classes/mod/passenger_spec.rb
+++ b/spec/classes/mod/passenger_spec.rb
@@ -16,6 +16,7 @@
:id => 'root',
:kernel => 'Linux',
:path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin',
+ :is_pe => false,
}
end
it { is_expected.to contain_class("apache::params") }
@@ -130,6 +131,7 @@
:concat_basedir => '/dne',
:id => 'root',
:path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin',
+ :is_pe => false,
}
end
@@ -149,6 +151,7 @@
:concat_basedir => '/dne',
:id => 'root',
:path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin',
+ :is_pe => false,
}
end
@@ -168,6 +171,7 @@
:concat_basedir => '/dne',
:id => 'root',
:path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin',
+ :is_pe => false,
}
end
@@ -175,6 +179,26 @@
it { is_expected.to contain_file('passenger.conf').with_content(%r{PassengerRuby "/usr/bin/ruby"}) }
it { is_expected.to contain_file('passenger.conf').without_content(/PassengerDefaultRuby/) }
end
+
+ context "with Debian 8 defaults" do
+ let :facts do
+ {
+ :osfamily => 'Debian',
+ :operatingsystemrelease => '8.0',
+ :operatingsystem => 'Debian',
+ :kernel => 'Linux',
+ :lsbdistcodename => 'jessie',
+ :concat_basedir => '/dne',
+ :id => 'root',
+ :path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin',
+ :is_pe => false,
+ }
+ end
+
+ it { is_expected.to contain_file('passenger.conf').with_content(%r{PassengerRoot "/usr/lib/ruby/vendor_ruby/phusion_passenger/locations.ini"}) }
+ it { is_expected.to contain_file('passenger.conf').without_content(/PassengerRuby/) }
+ it { is_expected.to contain_file('passenger.conf').with_content(%r{PassengerDefaultRuby "/usr/bin/ruby"}) }
+ end
end
context "on a RedHat OS" do
@@ -187,6 +211,7 @@
:id => 'root',
:kernel => 'Linux',
:path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin',
+ :is_pe => false,
}
end
it { is_expected.to contain_class("apache::params") }
@@ -225,6 +250,7 @@
:id => 'root',
:kernel => 'FreeBSD',
:path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin',
+ :is_pe => false,
}
end
it { is_expected.to contain_class("apache::params") }
diff --git a/spec/classes/mod/perl_spec.rb b/spec/classes/mod/perl_spec.rb
index 2c14c31f06..5bfe8ff2d2 100644
--- a/spec/classes/mod/perl_spec.rb
+++ b/spec/classes/mod/perl_spec.rb
@@ -15,6 +15,7 @@
:id => 'root',
:kernel => 'Linux',
:path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin',
+ :is_pe => false,
}
end
it { is_expected.to contain_class("apache::params") }
@@ -31,6 +32,7 @@
:id => 'root',
:kernel => 'Linux',
:path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin',
+ :is_pe => false,
}
end
it { is_expected.to contain_class("apache::params") }
@@ -47,6 +49,7 @@
:id => 'root',
:kernel => 'FreeBSD',
:path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin',
+ :is_pe => false,
}
end
it { is_expected.to contain_class("apache::params") }
diff --git a/spec/classes/mod/peruser_spec.rb b/spec/classes/mod/peruser_spec.rb
index c0dfc96f55..d38f8bba62 100644
--- a/spec/classes/mod/peruser_spec.rb
+++ b/spec/classes/mod/peruser_spec.rb
@@ -8,16 +8,19 @@
let :facts do
{
:osfamily => 'FreeBSD',
- :operatingsystemrelease => '9',
+ :operatingsystemrelease => '10',
:concat_basedir => '/dne',
:operatingsystem => 'FreeBSD',
:id => 'root',
:kernel => 'FreeBSD',
:path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin',
+ :is_pe => false,
}
end
- it { is_expected.to contain_class("apache::params") }
- it { is_expected.not_to contain_apache__mod('peruser') }
- it { is_expected.to contain_file("/usr/local/etc/apache22/Modules/peruser.conf").with_ensure('file') }
+ it do
+ expect {
+ should compile
+ }.to raise_error(Puppet::Error, /Unsupported osfamily FreeBSD/)
+ end
end
end
diff --git a/spec/classes/mod/php_spec.rb b/spec/classes/mod/php_spec.rb
index cf61318797..f2dbfb1a91 100644
--- a/spec/classes/mod/php_spec.rb
+++ b/spec/classes/mod/php_spec.rb
@@ -12,6 +12,7 @@
:id => 'root',
:kernel => 'Linux',
:path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin',
+ :is_pe => false,
}
end
context "with mpm_module => prefork" do
@@ -49,6 +50,7 @@
:id => 'root',
:kernel => 'Linux',
:path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin',
+ :is_pe => false,
}
end
context "with default params" do
@@ -124,12 +126,13 @@
let :facts do
{
:osfamily => 'FreeBSD',
- :operatingsystemrelease => '9',
+ :operatingsystemrelease => '10',
:concat_basedir => '/dne',
:operatingsystem => 'FreeBSD',
:id => 'root',
:kernel => 'FreeBSD',
:path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin',
+ :is_pe => false,
}
end
context "with mpm_module => prefork" do
@@ -138,7 +141,7 @@
end
it { is_expected.to contain_class('apache::params') }
it { is_expected.to contain_apache__mod('php5') }
- it { is_expected.to contain_package("lang/php5") }
+ it { is_expected.to contain_package("www/mod_php5") }
it { is_expected.to contain_file('php5.load') }
end
context "with mpm_module => itk" do
@@ -148,7 +151,7 @@
it { is_expected.to contain_class('apache::params') }
it { is_expected.to contain_class('apache::mod::itk') }
it { is_expected.to contain_apache__mod('php5') }
- it { is_expected.to contain_package("lang/php5") }
+ it { is_expected.to contain_package("www/mod_php5") }
it { is_expected.to contain_file('php5.load') }
end
end
@@ -163,6 +166,7 @@
:concat_basedir => '/dne',
:id => 'root',
:path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin',
+ :is_pe => false,
}
end
context 'with content param' do
diff --git a/spec/classes/mod/prefork_spec.rb b/spec/classes/mod/prefork_spec.rb
index 34bca08dc0..58c06e0bda 100644
--- a/spec/classes/mod/prefork_spec.rb
+++ b/spec/classes/mod/prefork_spec.rb
@@ -15,6 +15,7 @@
:id => 'root',
:kernel => 'Linux',
:path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin',
+ :is_pe => false,
}
end
it { is_expected.to contain_class("apache::params") }
@@ -60,6 +61,7 @@
:id => 'root',
:kernel => 'Linux',
:path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin',
+ :is_pe => false,
}
end
it { is_expected.to contain_class("apache::params") }
@@ -105,10 +107,11 @@
:id => 'root',
:kernel => 'FreeBSD',
:path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin',
+ :is_pe => false,
}
end
it { is_expected.to contain_class("apache::params") }
it { is_expected.not_to contain_apache__mod('prefork') }
- it { is_expected.to contain_file("/usr/local/etc/apache22/Modules/prefork.conf").with_ensure('file') }
+ it { is_expected.to contain_file("/usr/local/etc/apache24/Modules/prefork.conf").with_ensure('file') }
end
end
diff --git a/spec/classes/mod/proxy_connect_spec.rb b/spec/classes/mod/proxy_connect_spec.rb
new file mode 100644
index 0000000000..f4b4cc2e6b
--- /dev/null
+++ b/spec/classes/mod/proxy_connect_spec.rb
@@ -0,0 +1,51 @@
+require 'spec_helper'
+
+describe 'apache::mod::proxy_connect', :type => :class do
+ let :pre_condition do
+ [
+ 'include apache',
+ 'include apache::mod::proxy',
+ ]
+ end
+ context 'on a Debian OS' do
+ let :facts do
+ {
+ :osfamily => 'Debian',
+ :concat_basedir => '/dne',
+ :operatingsystem => 'Debian',
+ :id => 'root',
+ :kernel => 'Linux',
+ :path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin',
+ :is_pe => false,
+ }
+ end
+ context 'with Apache version < 2.4' do
+ let :facts do
+ super().merge({
+ :operatingsystemrelease => '7.0',
+ :lsbdistcodename => 'wheezy',
+ })
+ end
+ let :params do
+ {
+ :apache_version => '2.2',
+ }
+ end
+ it { is_expected.not_to contain_apache__mod('proxy_connect') }
+ end
+ context 'with Apache version >= 2.4' do
+ let :facts do
+ super().merge({
+ :operatingsystemrelease => '8.0',
+ :lsbdistcodename => 'jessie',
+ })
+ end
+ let :params do
+ {
+ :apache_version => '2.4',
+ }
+ end
+ it { is_expected.to contain_apache__mod('proxy_connect') }
+ end
+ end
+end
diff --git a/spec/classes/mod/proxy_html_spec.rb b/spec/classes/mod/proxy_html_spec.rb
index 81a2bb5371..ce3e70c3a9 100644
--- a/spec/classes/mod/proxy_html_spec.rb
+++ b/spec/classes/mod/proxy_html_spec.rb
@@ -25,6 +25,7 @@
:kernel => 'Linux',
:path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin',
:hardwaremodel => 'i386',
+ :is_pe => false,
}
end
@@ -60,6 +61,7 @@
:id => 'root',
:kernel => 'Linux',
:path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin',
+ :is_pe => false,
}
end
it { is_expected.to contain_class("apache::params") }
@@ -76,6 +78,7 @@
:id => 'root',
:kernel => 'FreeBSD',
:path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin',
+ :is_pe => false,
}
end
it { is_expected.to contain_class("apache::params") }
diff --git a/spec/classes/mod/python_spec.rb b/spec/classes/mod/python_spec.rb
index 17b62d43bd..9b6d846de0 100644
--- a/spec/classes/mod/python_spec.rb
+++ b/spec/classes/mod/python_spec.rb
@@ -15,6 +15,7 @@
:id => 'root',
:kernel => 'Linux',
:path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin',
+ :is_pe => false,
}
end
it { is_expected.to contain_class("apache::params") }
@@ -31,6 +32,7 @@
:id => 'root',
:kernel => 'Linux',
:path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin',
+ :is_pe => false,
}
end
it { is_expected.to contain_class("apache::params") }
@@ -47,6 +49,7 @@
:id => 'root',
:kernel => 'FreeBSD',
:path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin',
+ :is_pe => false,
}
end
it { is_expected.to contain_class("apache::params") }
diff --git a/spec/classes/mod/reqtimeout_spec.rb b/spec/classes/mod/reqtimeout_spec.rb
index 07c09b0940..97aa7db453 100644
--- a/spec/classes/mod/reqtimeout_spec.rb
+++ b/spec/classes/mod/reqtimeout_spec.rb
@@ -17,6 +17,7 @@
:kernel => 'Linux',
:path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin',
:lsbdistcodename => 'squeeze',
+ :is_pe => false,
}
end
context "passing no parameters" do
@@ -51,6 +52,7 @@
:id => 'root',
:kernel => 'Linux',
:path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin',
+ :is_pe => false,
}
end
context "passing no parameters" do
@@ -85,6 +87,7 @@
:id => 'root',
:kernel => 'FreeBSD',
:path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin',
+ :is_pe => false,
}
end
context "passing no parameters" do
diff --git a/spec/classes/mod/rpaf_spec.rb b/spec/classes/mod/rpaf_spec.rb
index ca3a594848..d2d5c342d1 100644
--- a/spec/classes/mod/rpaf_spec.rb
+++ b/spec/classes/mod/rpaf_spec.rb
@@ -17,6 +17,7 @@
:id => 'root',
:kernel => 'Linux',
:path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin',
+ :is_pe => false,
}
end
it { is_expected.to contain_class("apache::params") }
@@ -56,13 +57,14 @@
:id => 'root',
:kernel => 'FreeBSD',
:path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin',
+ :is_pe => false,
}
end
it { is_expected.to contain_class("apache::params") }
it { is_expected.to contain_apache__mod('rpaf') }
it { is_expected.to contain_package("www/mod_rpaf2") }
it { is_expected.to contain_file('rpaf.conf').with({
- 'path' => '/usr/local/etc/apache22/Modules/rpaf.conf',
+ 'path' => '/usr/local/etc/apache24/Modules/rpaf.conf',
}) }
it { is_expected.to contain_file('rpaf.conf').with_content(/^RPAFenable On$/) }
diff --git a/spec/classes/mod/security_spec.rb b/spec/classes/mod/security_spec.rb
new file mode 100644
index 0000000000..93f751ee4e
--- /dev/null
+++ b/spec/classes/mod/security_spec.rb
@@ -0,0 +1,95 @@
+require 'spec_helper'
+
+describe 'apache::mod::security', :type => :class do
+ let :pre_condition do
+ 'include apache'
+ end
+
+ context "on RedHat based systems" do
+ let :facts do
+ {
+ :osfamily => 'RedHat',
+ :operatingsystem => 'CentOS',
+ :operatingsystemrelease => '7',
+ :kernel => 'Linux',
+ :id => 'root',
+ :concat_basedir => '/',
+ :path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin',
+ :is_pe => false,
+ }
+ end
+ it { should contain_apache__mod('security').with(
+ :id => 'security2_module',
+ :lib => 'mod_security2.so'
+ ) }
+ it { should contain_apache__mod('unique_id_module').with(
+ :id => 'unique_id_module',
+ :lib => 'mod_unique_id.so'
+ ) }
+ it { should contain_package('mod_security_crs') }
+ it { should contain_file('security.conf').with(
+ :path => '/etc/httpd/conf.d/security.conf'
+ ) }
+ it { should contain_file('/etc/httpd/modsecurity.d').with(
+ :ensure => 'directory',
+ :path => '/etc/httpd/modsecurity.d',
+ :owner => 'apache',
+ :group => 'apache'
+ ) }
+ it { should contain_file('/etc/httpd/modsecurity.d/activated_rules').with(
+ :ensure => 'directory',
+ :path => '/etc/httpd/modsecurity.d/activated_rules',
+ :owner => 'apache',
+ :group => 'apache'
+ ) }
+ it { should contain_file('/etc/httpd/modsecurity.d/security_crs.conf').with(
+ :path => '/etc/httpd/modsecurity.d/security_crs.conf'
+ ) }
+ it { should contain_apache__security__rule_link('base_rules/modsecurity_35_bad_robots.data') }
+ end
+
+ context "on Debian based systems" do
+ let :facts do
+ {
+ :osfamily => 'Debian',
+ :operatingsystem => 'Debian',
+ :operatingsystemrelease => '6',
+ :concat_basedir => '/',
+ :lsbdistcodename => 'squeeze',
+ :id => 'root',
+ :path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin',
+ :kernel => 'Linux',
+ :is_pe => false,
+ }
+ end
+ it { should contain_apache__mod('security').with(
+ :id => 'security2_module',
+ :lib => 'mod_security2.so'
+ ) }
+ it { should contain_apache__mod('unique_id_module').with(
+ :id => 'unique_id_module',
+ :lib => 'mod_unique_id.so'
+ ) }
+ it { should contain_package('modsecurity-crs') }
+ it { should contain_file('security.conf').with(
+ :path => '/etc/apache2/mods-available/security.conf'
+ ) }
+ it { should contain_file('/etc/modsecurity').with(
+ :ensure => 'directory',
+ :path => '/etc/modsecurity',
+ :owner => 'www-data',
+ :group => 'www-data'
+ ) }
+ it { should contain_file('/etc/modsecurity/activated_rules').with(
+ :ensure => 'directory',
+ :path => '/etc/modsecurity/activated_rules',
+ :owner => 'www-data',
+ :group => 'www-data'
+ ) }
+ it { should contain_file('/etc/modsecurity/security_crs.conf').with(
+ :path => '/etc/modsecurity/security_crs.conf'
+ ) }
+ it { should contain_apache__security__rule_link('base_rules/modsecurity_35_bad_robots.data') }
+ end
+
+end
diff --git a/spec/classes/mod/shib_spec.rb b/spec/classes/mod/shib_spec.rb
index e515db96df..0254d4c3c6 100644
--- a/spec/classes/mod/shib_spec.rb
+++ b/spec/classes/mod/shib_spec.rb
@@ -14,6 +14,7 @@
:kernel => 'Linux',
:path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin',
:fqdn => 'test.example.com',
+ :is_pe => false,
}
end
describe 'with no parameters' do
@@ -31,10 +32,11 @@
:kernel => 'Linux',
:path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin',
:fqdn => 'test.example.com',
+ :is_pe => false,
}
end
describe 'with no parameters' do
it { should contain_apache__mod('shib2').with_id('mod_shib') }
end
end
-end
\ No newline at end of file
+end
diff --git a/spec/classes/mod/speling_spec.rb b/spec/classes/mod/speling_spec.rb
index 814e0d6720..b07af25897 100644
--- a/spec/classes/mod/speling_spec.rb
+++ b/spec/classes/mod/speling_spec.rb
@@ -15,6 +15,7 @@
:id => 'root',
:kernel => 'Linux',
:path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin',
+ :is_pe => false,
}
end
it { is_expected.to contain_apache__mod('speling') }
@@ -30,6 +31,7 @@
:id => 'root',
:kernel => 'Linux',
:path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin',
+ :is_pe => false,
}
end
it { is_expected.to contain_apache__mod('speling') }
diff --git a/spec/classes/mod/ssl_spec.rb b/spec/classes/mod/ssl_spec.rb
index 93f04e3ca5..f7755ed362 100644
--- a/spec/classes/mod/ssl_spec.rb
+++ b/spec/classes/mod/ssl_spec.rb
@@ -14,6 +14,7 @@
:id => 'root',
:kernel => 'Linux',
:path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin',
+ :is_pe => false,
}
end
it { expect { subject }.to raise_error(Puppet::Error, /Unsupported osfamily:/) }
@@ -29,6 +30,7 @@
:id => 'root',
:kernel => 'Linux',
:path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin',
+ :is_pe => false,
}
end
it { is_expected.to contain_class('apache::params') }
@@ -56,6 +58,7 @@
:id => 'root',
:kernel => 'Linux',
:path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin',
+ :is_pe => false,
}
end
it { is_expected.to contain_class('apache::params') }
@@ -73,9 +76,49 @@
:id => 'root',
:kernel => 'FreeBSD',
:path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin',
+ :is_pe => false,
}
end
it { is_expected.to contain_class('apache::params') }
it { is_expected.to contain_apache__mod('ssl') }
end
+
+ # Template config doesn't vary by distro
+ context "on all distros" do
+ let :facts do
+ {
+ :osfamily => 'RedHat',
+ :operatingsystem => 'CentOS',
+ :operatingsystemrelease => '6',
+ :kernel => 'Linux',
+ :id => 'root',
+ :concat_basedir => '/dne',
+ :path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin',
+ :is_pe => false,
+ }
+ end
+
+ context 'not setting ssl_pass_phrase_dialog' do
+ it { is_expected.to contain_file('ssl.conf').with_content(/^ SSLPassPhraseDialog builtin$/)}
+ end
+
+ context 'setting ssl_pass_phrase_dialog' do
+ let :params do
+ {
+ :ssl_pass_phrase_dialog => 'exec:/path/to/program',
+ }
+ end
+ it { is_expected.to contain_file('ssl.conf').with_content(/^ SSLPassPhraseDialog exec:\/path\/to\/program$/)}
+ end
+
+ context 'setting ssl_random_seed_bytes' do
+ let :params do
+ {
+ :ssl_random_seed_bytes => '1024',
+ }
+ end
+ it { is_expected.to contain_file('ssl.conf').with_content(%r{^ SSLRandomSeed startup file:/dev/urandom 1024$})}
+ end
+
+ end
end
diff --git a/spec/classes/mod/status_spec.rb b/spec/classes/mod/status_spec.rb
index adb60861ba..e3b3d24428 100644
--- a/spec/classes/mod/status_spec.rb
+++ b/spec/classes/mod/status_spec.rb
@@ -1,10 +1,10 @@
require 'spec_helper'
# Helper function for testing the contents of `status.conf`
-def status_conf_spec(allow_from, extended_status)
+def status_conf_spec(allow_from, extended_status, status_path)
it do
is_expected.to contain_file("status.conf").with_content(
- "\n"\
+ "\n"\
" SetHandler server-status\n"\
" Order deny,allow\n"\
" Deny from all\n"\
@@ -36,12 +36,13 @@ def status_conf_spec(allow_from, extended_status)
:id => 'root',
:kernel => 'Linux',
:path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin',
+ :is_pe => false,
}
end
it { is_expected.to contain_apache__mod("status") }
- status_conf_spec(["127.0.0.1", "::1"], "On")
+ status_conf_spec(["127.0.0.1", "::1"], "On", "/server-status")
it { is_expected.to contain_file("status.conf").with({
:ensure => 'file',
@@ -65,18 +66,19 @@ def status_conf_spec(allow_from, extended_status)
:id => 'root',
:kernel => 'Linux',
:path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin',
+ :is_pe => false,
}
end
it { is_expected.to contain_apache__mod("status") }
- status_conf_spec(["127.0.0.1", "::1"], "On")
+ status_conf_spec(["127.0.0.1", "::1"], "On", "/server-status")
it { is_expected.to contain_file("status.conf").with_path("/etc/httpd/conf.d/status.conf") }
end
- context "with custom parameters $allow_from => ['10.10.10.10','11.11.11.11'], $extended_status => 'Off'" do
+ context "with custom parameters $allow_from => ['10.10.10.10','11.11.11.11'], $extended_status => 'Off', $status_path => '/custom-status'" do
let :facts do
{
:osfamily => 'Debian',
@@ -87,16 +89,18 @@ def status_conf_spec(allow_from, extended_status)
:id => 'root',
:kernel => 'Linux',
:path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin',
+ :is_pe => false,
}
end
let :params do
{
:allow_from => ['10.10.10.10','11.11.11.11'],
:extended_status => 'Off',
+ :status_path => '/custom-status',
}
end
- status_conf_spec(["10.10.10.10", "11.11.11.11"], "Off")
+ status_conf_spec(["10.10.10.10", "11.11.11.11"], "Off", "/custom-status")
end
@@ -111,6 +115,7 @@ def status_conf_spec(allow_from, extended_status)
:id => 'root',
:kernel => 'Linux',
:path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin',
+ :is_pe => false,
}
end
let :params do
@@ -133,6 +138,7 @@ def status_conf_spec(allow_from, extended_status)
:id => 'root',
:kernel => 'Linux',
:path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin',
+ :is_pe => false,
}
end
let :params do
@@ -158,6 +164,7 @@ def status_conf_spec(allow_from, extended_status)
:id => 'root',
:kernel => 'Linux',
:path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin',
+ :is_pe => false,
}
end
let :params do
@@ -182,6 +189,7 @@ def status_conf_spec(allow_from, extended_status)
:id => 'root',
:kernel => 'Linux',
:path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin',
+ :is_pe => false,
}
end
let :params do
diff --git a/spec/classes/mod/suphp_spec.rb b/spec/classes/mod/suphp_spec.rb
index b74b4c8646..9b20000f30 100644
--- a/spec/classes/mod/suphp_spec.rb
+++ b/spec/classes/mod/suphp_spec.rb
@@ -15,6 +15,7 @@
:id => 'root',
:kernel => 'Linux',
:path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin',
+ :is_pe => false,
}
end
it { is_expected.to contain_class("apache::params") }
@@ -30,6 +31,7 @@
:id => 'root',
:kernel => 'Linux',
:path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin',
+ :is_pe => false,
}
end
it { is_expected.to contain_class("apache::params") }
diff --git a/spec/classes/mod/worker_spec.rb b/spec/classes/mod/worker_spec.rb
index 5902c2c7ea..bb99a0fe65 100644
--- a/spec/classes/mod/worker_spec.rb
+++ b/spec/classes/mod/worker_spec.rb
@@ -15,6 +15,7 @@
:id => 'root',
:kernel => 'Linux',
:path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin',
+ :is_pe => false,
}
end
it { is_expected.to contain_class("apache::params") }
@@ -60,6 +61,7 @@
:id => 'root',
:kernel => 'Linux',
:path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin',
+ :is_pe => false,
}
end
it { is_expected.to contain_class("apache::params") }
@@ -105,11 +107,12 @@
:id => 'root',
:kernel => 'FreeBSD',
:path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin',
+ :is_pe => false,
}
end
it { is_expected.to contain_class("apache::params") }
it { is_expected.not_to contain_apache__mod('worker') }
- it { is_expected.to contain_file("/usr/local/etc/apache22/Modules/worker.conf").with_ensure('file') }
+ it { is_expected.to contain_file("/usr/local/etc/apache24/Modules/worker.conf").with_ensure('file') }
end
# Template config doesn't vary by distro
@@ -123,6 +126,7 @@
:id => 'root',
:concat_basedir => '/dne',
:path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin',
+ :is_pe => false,
}
end
diff --git a/spec/classes/mod/wsgi_spec.rb b/spec/classes/mod/wsgi_spec.rb
index 3875d3fd09..e8dd00db0a 100644
--- a/spec/classes/mod/wsgi_spec.rb
+++ b/spec/classes/mod/wsgi_spec.rb
@@ -15,6 +15,7 @@
:id => 'root',
:kernel => 'Linux',
:path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin',
+ :is_pe => false,
}
end
it { is_expected.to contain_class("apache::params") }
@@ -34,6 +35,7 @@
:id => 'root',
:kernel => 'Linux',
:path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin',
+ :is_pe => false,
}
end
it { is_expected.to contain_class("apache::params") }
@@ -55,6 +57,52 @@
end
it {is_expected.to contain_file('wsgi.conf').with_content(/^ WSGIPythonHome "\/path\/to\/virtenv"$/)}
end
+ describe "with custom package_name and mod_path" do
+ let :params do
+ {
+ :package_name => 'mod_wsgi_package',
+ :mod_path => '/foo/bar/baz',
+ }
+ end
+ it { is_expected.to contain_apache__mod('wsgi').with({
+ 'package' => 'mod_wsgi_package',
+ 'path' => '/foo/bar/baz',
+ })
+ }
+ it { is_expected.to contain_package("mod_wsgi_package") }
+ it { is_expected.to contain_file('wsgi.load').with_content(%r"LoadModule wsgi_module /foo/bar/baz") }
+ end
+ describe "with custom mod_path not containing /" do
+ let :params do
+ {
+ :package_name => 'mod_wsgi_package',
+ :mod_path => 'wsgi_mod_name.so',
+ }
+ end
+ it { is_expected.to contain_apache__mod('wsgi').with({
+ 'path' => 'modules/wsgi_mod_name.so',
+ 'package' => 'mod_wsgi_package',
+ })
+ }
+ it { is_expected.to contain_file('wsgi.load').with_content(%r"LoadModule wsgi_module modules/wsgi_mod_name.so") }
+
+ end
+ describe "with package_name but no mod_path" do
+ let :params do
+ {
+ :mod_path => '/foo/bar/baz',
+ }
+ end
+ it { expect { subject }.to raise_error Puppet::Error, /apache::mod::wsgi - both package_name and mod_path must be specified!/ }
+ end
+ describe "with mod_path but no package_name" do
+ let :params do
+ {
+ :package_name => '/foo/bar/baz',
+ }
+ end
+ it { expect { subject }.to raise_error Puppet::Error, /apache::mod::wsgi - both package_name and mod_path must be specified!/ }
+ end
end
context "on a FreeBSD OS" do
let :facts do
@@ -66,6 +114,7 @@
:id => 'root',
:kernel => 'FreeBSD',
:path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin',
+ :is_pe => false,
}
end
it { is_expected.to contain_class("apache::params") }
diff --git a/spec/classes/params_spec.rb b/spec/classes/params_spec.rb
index 6f63758a3a..92b314f92e 100644
--- a/spec/classes/params_spec.rb
+++ b/spec/classes/params_spec.rb
@@ -12,6 +12,7 @@
:id => 'root',
:kernel => 'Linux',
:path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin',
+ :is_pe => false,
}
end
it { is_expected.to contain_apache__params }
diff --git a/spec/classes/service_spec.rb b/spec/classes/service_spec.rb
index 4d6efbe3fd..ef3504d19e 100644
--- a/spec/classes/service_spec.rb
+++ b/spec/classes/service_spec.rb
@@ -15,6 +15,7 @@
:id => 'root',
:kernel => 'Linux',
:path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin',
+ :is_pe => false,
}
end
it { is_expected.to contain_service("httpd").with(
@@ -60,6 +61,14 @@
end
end
+ context "$service_manage must be a bool" do
+ let (:params) {{ :service_manage => 'not-a-boolean' }}
+
+ it 'should fail' do
+ expect { subject }.to raise_error(Puppet::Error, /is not a boolean/)
+ end
+ end
+
context "with $service_ensure => 'running'" do
let (:params) {{ :service_ensure => 'running', }}
it { is_expected.to contain_service("httpd").with(
@@ -95,6 +104,7 @@
:id => 'root',
:kernel => 'Linux',
:path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin',
+ :is_pe => false,
}
end
it { is_expected.to contain_service("httpd").with(
@@ -115,13 +125,40 @@
:id => 'root',
:kernel => 'FreeBSD',
:path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin',
+ :is_pe => false,
}
end
it { is_expected.to contain_service("httpd").with(
- 'name' => 'apache22',
+ 'name' => 'apache24',
'ensure' => 'running',
'enable' => 'true'
)
}
end
+
+ context "on a RedHat 5 OS, do not manage service" do
+ let :facts do
+ {
+ :osfamily => 'RedHat',
+ :operatingsystemrelease => '5',
+ :concat_basedir => '/dne',
+ :operatingsystem => 'RedHat',
+ :id => 'root',
+ :kernel => 'Linux',
+ :path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin',
+ :is_pe => false,
+ }
+ end
+ let(:params) do
+ {
+ 'service_ensure' => 'running',
+ 'service_name' => 'httpd',
+ 'service_manage' => false
+ }
+ end
+ it 'should not manage the httpd service' do
+ subject.should_not contain_service('httpd')
+ end
+ end
+
end
diff --git a/spec/defines/balancermember_spec.rb b/spec/defines/balancermember_spec.rb
index b7293b390e..0322d308eb 100644
--- a/spec/defines/balancermember_spec.rb
+++ b/spec/defines/balancermember_spec.rb
@@ -28,6 +28,7 @@
:concat_basedir => '/dne',
:path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin',
:kernel => 'Linux',
+ :is_pe => false,
}
end
describe "allows multiple balancermembers with the same url" do
diff --git a/spec/defines/custom_config_spec.rb b/spec/defines/custom_config_spec.rb
index 187b8a7b56..e9650a736b 100644
--- a/spec/defines/custom_config_spec.rb
+++ b/spec/defines/custom_config_spec.rb
@@ -17,6 +17,7 @@
:id => 'root',
:kernel => 'Linux',
:path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin',
+ :is_pe => false,
}
end
context 'defaults with content' do
diff --git a/spec/defines/fastcgi_server_spec.rb b/spec/defines/fastcgi_server_spec.rb
index 1dc8fd444a..efb913e6b0 100644
--- a/spec/defines/fastcgi_server_spec.rb
+++ b/spec/defines/fastcgi_server_spec.rb
@@ -18,6 +18,7 @@
:id => 'root',
:concat_basedir => '/dne',
:path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin',
+ :is_pe => false,
}
end
let :facts do default_facts end
@@ -39,6 +40,7 @@
:id => 'root',
:concat_basedir => '/dne',
:path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin',
+ :is_pe => false,
}
end
let :facts do default_facts end
@@ -59,6 +61,7 @@
:id => 'root',
:concat_basedir => '/dne',
:path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin',
+ :is_pe => false,
}
end
let :facts do default_facts end
@@ -66,7 +69,7 @@
it { should contain_class("apache::mod::fastcgi") }
it { should contain_file("fastcgi-pool-#{title}.conf").with(
:ensure => 'present',
- :path => "/usr/local/etc/apache22/Includes/fastcgi-pool-#{title}.conf"
+ :path => "/usr/local/etc/apache24/Includes/fastcgi-pool-#{title}.conf"
) }
end
end
@@ -81,6 +84,7 @@
:id => 'root',
:concat_basedir => '/dne',
:path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin',
+ :is_pe => false,
}
end
describe ".conf content" do
diff --git a/spec/defines/mod_spec.rb b/spec/defines/mod_spec.rb
index 377c877926..3700b0edb4 100644
--- a/spec/defines/mod_spec.rb
+++ b/spec/defines/mod_spec.rb
@@ -14,6 +14,7 @@
:id => 'root',
:kernel => 'Linux',
:path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin',
+ :is_pe => false,
}
end
@@ -57,6 +58,7 @@
:id => 'root',
:kernel => 'Linux',
:path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin',
+ :is_pe => false,
}
end
@@ -96,6 +98,7 @@
:id => 'root',
:kernel => 'FreeBSD',
:path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin',
+ :is_pe => false,
}
end
@@ -106,8 +109,8 @@
it { is_expected.to contain_class("apache::params") }
it "should manage the module load file" do
is_expected.to contain_file('spec_m.load').with({
- :path => '/usr/local/etc/apache22/Modules/spec_m.load',
- :content => "LoadModule spec_m_module /usr/local/libexec/apache22/mod_spec_m.so\n",
+ :path => '/usr/local/etc/apache24/Modules/spec_m.load',
+ :content => "LoadModule spec_m_module /usr/local/libexec/apache24/mod_spec_m.so\n",
:owner => 'root',
:group => 'wheel',
:mode => '0644',
diff --git a/spec/defines/modsec_link_spec.rb b/spec/defines/modsec_link_spec.rb
new file mode 100644
index 0000000000..a5b4c5390c
--- /dev/null
+++ b/spec/defines/modsec_link_spec.rb
@@ -0,0 +1,53 @@
+require 'spec_helper'
+
+describe 'apache::security::rule_link', :type => :define do
+ let :pre_condition do
+ 'class { "apache": }
+ class { "apache::mod::security": activated_rules => [] }
+ '
+ end
+
+ let :title do
+ 'base_rules/modsecurity_35_bad_robots.data'
+ end
+
+ context "on RedHat based systems" do
+ let :facts do
+ {
+ :osfamily => 'RedHat',
+ :operatingsystem => 'CentOS',
+ :operatingsystemrelease => '7',
+ :kernel => 'Linux',
+ :id => 'root',
+ :concat_basedir => '/',
+ :path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin',
+ :is_pe => false,
+ }
+ end
+ it { should contain_file('modsecurity_35_bad_robots.data').with(
+ :path => '/etc/httpd/modsecurity.d/activated_rules/modsecurity_35_bad_robots.data',
+ :target => '/usr/lib/modsecurity.d/base_rules/modsecurity_35_bad_robots.data'
+ ) }
+ end
+
+ context "on Debian based systems" do
+ let :facts do
+ {
+ :osfamily => 'Debian',
+ :operatingsystem => 'Debian',
+ :operatingsystemrelease => '6',
+ :concat_basedir => '/',
+ :lsbdistcodename => 'squeeze',
+ :id => 'root',
+ :path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin',
+ :kernel => 'Linux',
+ :is_pe => false,
+ }
+ end
+ it { should contain_file('modsecurity_35_bad_robots.data').with(
+ :path => '/etc/modsecurity/activated_rules/modsecurity_35_bad_robots.data',
+ :target => '/usr/share/modsecurity-crs/base_rules/modsecurity_35_bad_robots.data'
+ ) }
+ end
+
+end
diff --git a/spec/defines/vhost_spec.rb b/spec/defines/vhost_spec.rb
index 84a95bf44d..807488369e 100644
--- a/spec/defines/vhost_spec.rb
+++ b/spec/defines/vhost_spec.rb
@@ -2,7 +2,7 @@
describe 'apache::vhost', :type => :define do
let :pre_condition do
- 'class { "apache": default_vhost => false, default_mods => false, }'
+ 'class { "apache": default_vhost => false, default_mods => false, vhost_enable_dir => "/etc/apache2/sites-enabled"}'
end
let :title do
'rspec.example.com'
@@ -24,6 +24,7 @@
:id => 'root',
:kernel => 'Linux',
:path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin',
+ :is_pe => false,
}
end
let :params do default_params end
@@ -42,6 +43,7 @@
:id => 'root',
:kernel => 'Linux',
:path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin',
+ :is_pe => false,
}
end
let :params do default_params end
@@ -68,6 +70,7 @@
:id => 'root',
:kernel => 'FreeBSD',
:path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin',
+ :is_pe => false,
}
end
let :params do default_params end
@@ -76,7 +79,7 @@
it { is_expected.to contain_class("apache::params") }
it { is_expected.to contain_file("25-rspec.example.com.conf").with(
:ensure => 'present',
- :path => '/usr/local/etc/apache22/Vhosts/25-rspec.example.com.conf'
+ :path => '/usr/local/etc/apache24/Vhosts/25-rspec.example.com.conf'
) }
end
end
@@ -91,6 +94,7 @@
:id => 'root',
:kernel => 'Linux',
:path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin',
+ :is_pe => false,
}
end
describe 'basic assumptions' do
@@ -257,6 +261,7 @@
:kernel => 'Linux',
:path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin',
:kernelversion => '3.6.2',
+ :is_pe => false,
}
end
@@ -281,11 +286,17 @@
it { is_expected.to contain_class('apache::mod::passenger') }
it { is_expected.to contain_class('apache::mod::fastcgi') }
it { is_expected.to contain_class('apache::mod::headers') }
+ it { is_expected.to contain_class('apache::mod::setenvif') }
it { is_expected.to contain_concat('30-rspec.example.com.conf').with({
'owner' => 'root',
'mode' => '0644',
'require' => 'Package[httpd]',
- 'notify' => 'Service[httpd]',
+ 'notify' => 'Class[Apache::Service]',
+ })
+ }
+ it { is_expected.to contain_file('30-rspec.example.com.conf symlink').with({
+ 'ensure' => 'link',
+ 'path' => '/etc/apache2/sites-enabled/30-rspec.example.com.conf',
})
}
it { is_expected.to contain_concat__fragment('rspec.example.com-apache-header') }
@@ -322,6 +333,7 @@
it { is_expected.to contain_concat__fragment('rspec.example.com-custom_fragment') }
it { is_expected.to contain_concat__fragment('rspec.example.com-fastcgi') }
it { is_expected.to contain_concat__fragment('rspec.example.com-suexec') }
+ it { is_expected.to contain_concat__fragment('rspec.example.com-allow_encoded_slashes') }
it { is_expected.to contain_concat__fragment('rspec.example.com-passenger') }
it { is_expected.to contain_concat__fragment('rspec.example.com-charsets') }
it { is_expected.to contain_concat__fragment('rspec.example.com-file_footer') }
@@ -348,6 +360,7 @@
:kernel => 'Linux',
:path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin',
:kernelversion => '3.6.2',
+ :is_pe => false,
}
end
@@ -406,6 +419,64 @@
it { is_expected.to contain_concat__fragment('rspec.example.com-file_footer') }
end
end
+ describe 'access logs' do
+ let :facts do
+ {
+ :osfamily => 'RedHat',
+ :operatingsystemrelease => '6',
+ :concat_basedir => '/dne',
+ :operatingsystem => 'RedHat',
+ :id => 'root',
+ :kernel => 'Linux',
+ :path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin',
+ :is_pe => false,
+ }
+ end
+ context 'single log file' do
+ let(:params) do
+ {
+ 'docroot' => '/rspec/docroot',
+ 'access_log_file' => 'my_log_file',
+ }
+ end
+ it { is_expected.to contain_concat__fragment('rspec.example.com-access_log').with(
+ :content => /^\s+CustomLog.*my_log_file" combined\s*$/
+ )}
+ end
+ context 'single log file with environment' do
+ let(:params) do
+ {
+ 'docroot' => '/rspec/docroot',
+ 'access_log_file' => 'my_log_file',
+ 'access_log_env_var' => 'prod'
+ }
+ end
+ it { is_expected.to contain_concat__fragment('rspec.example.com-access_log').with(
+ :content => /^\s+CustomLog.*my_log_file" combined\s+env=prod$/
+ )}
+ end
+ context 'multiple log files' do
+ let(:params) do
+ {
+ 'docroot' => '/rspec/docroot',
+ 'access_logs' => [
+ { 'file' => '/tmp/log1', 'env' => 'dev' },
+ { 'file' => 'log2' },
+ { 'syslog' => 'syslog', 'format' => '%h %l' }
+ ],
+ }
+ end
+ it { is_expected.to contain_concat__fragment('rspec.example.com-access_log').with(
+ :content => /^\s+CustomLog "\/tmp\/log1"\s+combined\s+env=dev$/
+ )}
+ it { is_expected.to contain_concat__fragment('rspec.example.com-access_log').with(
+ :content => /^\s+CustomLog "\/var\/log\/httpd\/log2"\s+combined\s*$/
+ )}
+ it { is_expected.to contain_concat__fragment('rspec.example.com-access_log').with(
+ :content => /^\s+CustomLog "syslog" "%h %l"\s*$/
+ )}
+ end
+ end # access logs
describe 'validation' do
context 'bad ensure' do
let :params do
@@ -619,5 +690,15 @@
let :facts do default_facts end
it { expect { is_expected.to compile }.to raise_error }
end
+ context 'bad access_logs' do
+ let :params do
+ {
+ 'docroot' => '/rspec/docroot',
+ 'access_logs' => '/var/log/somewhere',
+ }
+ end
+ let :facts do default_facts end
+ it { expect { is_expected.to compile }.to raise_error }
+ end
end
end
diff --git a/spec/spec_helper_acceptance.rb b/spec/spec_helper_acceptance.rb
index 94178fbd7f..ce388328f9 100644
--- a/spec/spec_helper_acceptance.rb
+++ b/spec/spec_helper_acceptance.rb
@@ -41,7 +41,7 @@
on host, puppet('module','install','puppetlabs-apt'), { :acceptable_exit_codes => [0,1] }
end
on host, puppet('module','install','puppetlabs-stdlib'), { :acceptable_exit_codes => [0,1] }
- on host, puppet('module','install','puppetlabs-concat'), { :acceptable_exit_codes => [0,1] }
+ on host, puppet('module','install','puppetlabs-concat', '--version 1.1.1', '--force'), { :acceptable_exit_codes => [0,1] }
end
end
end
diff --git a/templates/httpd.conf.erb b/templates/httpd.conf.erb
index 54d24c8ae3..9b889ac508 100644
--- a/templates/httpd.conf.erb
+++ b/templates/httpd.conf.erb
@@ -1,7 +1,7 @@
# Security
ServerTokens <%= @server_tokens %>
-ServerSignature <%= @server_signature %>
-TraceEnable <%= @trace_enable %>
+ServerSignature <%= scope.function_bool2httpd([@server_signature]) %>
+TraceEnable <%= scope.function_bool2httpd([@trace_enable]) %>
ServerName "<%= @servername %>"
ServerRoot "<%= @server_root %>"
diff --git a/templates/mod/auth_cas.conf.erb b/templates/mod/auth_cas.conf.erb
new file mode 100644
index 0000000000..926bd65f52
--- /dev/null
+++ b/templates/mod/auth_cas.conf.erb
@@ -0,0 +1,40 @@
+CASCookiePath <%= @cas_cookie_path %>
+CASLoginURL <%= @cas_login_url %>
+CASValidateURL <%= @cas_validate_url %>
+
+CASVersion <%= @cas_version %>
+CASDebug <%= @cas_debug %>
+
+<% if @cas_certificate_path -%>
+CASCertificatePath <%= @cas_certificate_path %>
+<% end -%>
+<% if @cas_proxy_validate_url -%>
+CASProxyValidateURL <%= @cas_proxy_validate_url %>
+<% end -%>
+<% if @cas_validate_depth -%>
+CASValidateDepth <%= @cas_validate_depth %>
+<% end -%>
+<% if @cas_root_proxied_as -%>
+CASRootProxiedAs <%= @cas_root_proxied_as %>
+<% end -%>
+<% if @cas_cookie_entropy -%>
+CASCookieEntropy <%= @cas_cookie_entropy %>
+<% end -%>
+<% if @cas_timeout -%>
+CASTimeout <%= @cas_timeout %>
+<% end -%>
+<% if @cas_idle_timeout -%>
+CASIdleTimeout <%= @cas_idle_timeout %>
+<% end -%>
+<% if @cas_cache_clean_interval -%>
+CASCacheCleanInterval <%= @cas_cache_clean_interval %>
+<% end -%>
+<% if @cas_cookie_domain -%>
+CASCookieDomain <%= @cas_cookie_domain %>
+<% end -%>
+<% if @cas_cookie_http_only -%>
+CASCookieHttpOnly <%= @cas_cookie_http_only %>
+<% end -%>
+<% if @cas_authoritative -%>
+CASAuthoritative <%= @cas_authoritative %>
+<% end -%>
diff --git a/templates/mod/event.conf.erb b/templates/mod/event.conf.erb
index 40099543d5..970ce088ce 100644
--- a/templates/mod/event.conf.erb
+++ b/templates/mod/event.conf.erb
@@ -1,9 +1,13 @@
- ServerLimit <%= @serverlimit %>
- StartServers <%= @startservers %>
- MaxClients <%= @maxclients %>
- MinSpareThreads <%= @minsparethreads %>
- MaxSpareThreads <%= @maxsparethreads %>
- ThreadsPerChild <%= @threadsperchild %>
- MaxRequestsPerChild <%= @maxrequestsperchild %>
+ ServerLimit <%= @serverlimit %>
+ StartServers <%= @startservers %>
+ MaxClients <%= @maxclients %>
+ MinSpareThreads <%= @minsparethreads %>
+ MaxSpareThreads <%= @maxsparethreads %>
+ ThreadsPerChild <%= @threadsperchild %>
+ MaxRequestsPerChild <%= @maxrequestsperchild %>
+ ThreadLimit <%= @threadlimit %>
+ ListenBacklog <%= @listenbacklog %>
+ MaxRequestWorkers <%= @maxrequestworkers %>
+ MaxConnectionsPerChild <%= @maxconnectionsperchild %>
diff --git a/templates/mod/passenger.conf.erb b/templates/mod/passenger.conf.erb
index dd9eee3b13..a56d2d5d14 100644
--- a/templates/mod/passenger.conf.erb
+++ b/templates/mod/passenger.conf.erb
@@ -1,4 +1,4 @@
-# The Passanger Apache module configuration file is being
+# The Passenger Apache module configuration file is being
# managed by Puppet and changes will be overwritten.
<%- if @passenger_root -%>
diff --git a/templates/mod/security.conf.erb b/templates/mod/security.conf.erb
new file mode 100644
index 0000000000..7597c461f6
--- /dev/null
+++ b/templates/mod/security.conf.erb
@@ -0,0 +1,68 @@
+
+ # ModSecurity Core Rules Set configuration
+<%- if scope.function_versioncmp([scope.lookupvar('::apache::apache_version'), '2.4']) >= 0 -%>
+ IncludeOptional <%= @modsec_dir %>/*.conf
+ IncludeOptional <%= @modsec_dir %>/activated_rules/*.conf
+<%- else -%>
+ Include <%= @modsec_dir %>/*.conf
+ Include <%= @modsec_dir %>/activated_rules/*.conf
+<%- end -%>
+
+ # Default recommended configuration
+ SecRuleEngine On
+ SecRequestBodyAccess On
+ SecRule REQUEST_HEADERS:Content-Type "text/xml" \
+ "id:'200000',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=XML"
+ SecRequestBodyLimit 13107200
+ SecRequestBodyNoFilesLimit 131072
+ SecRequestBodyInMemoryLimit 131072
+ SecRequestBodyLimitAction Reject
+ SecRule REQBODY_ERROR "!@eq 0" \
+ "id:'200001', phase:2,t:none,log,deny,status:400,msg:'Failed to parse request body.',logdata:'%{reqbody_error_msg}',severity:2"
+ SecRule MULTIPART_STRICT_ERROR "!@eq 0" \
+ "id:'200002',phase:2,t:none,log,deny,status:44,msg:'Multipart request body failed strict validation: \
+ PE %{REQBODY_PROCESSOR_ERROR}, \
+ BQ %{MULTIPART_BOUNDARY_QUOTED}, \
+ BW %{MULTIPART_BOUNDARY_WHITESPACE}, \
+ DB %{MULTIPART_DATA_BEFORE}, \
+ DA %{MULTIPART_DATA_AFTER}, \
+ HF %{MULTIPART_HEADER_FOLDING}, \
+ LF %{MULTIPART_LF_LINE}, \
+ SM %{MULTIPART_MISSING_SEMICOLON}, \
+ IQ %{MULTIPART_INVALID_QUOTING}, \
+ IP %{MULTIPART_INVALID_PART}, \
+ IH %{MULTIPART_INVALID_HEADER_FOLDING}, \
+ FL %{MULTIPART_FILE_LIMIT_EXCEEDED}'"
+
+ SecRule MULTIPART_UNMATCHED_BOUNDARY "!@eq 0" \
+ "id:'200003',phase:2,t:none,log,deny,status:44,msg:'Multipart parser detected a possible unmatched boundary.'"
+
+ SecPcreMatchLimit 1000
+ SecPcreMatchLimitRecursion 1000
+
+ SecRule TX:/^MSC_/ "!@streq 0" \
+ "id:'200004',phase:2,t:none,deny,msg:'ModSecurity internal error flagged: %{MATCHED_VAR_NAME}'"
+
+ SecResponseBodyAccess Off
+ SecResponseBodyMimeType text/plain text/html text/xml
+ SecResponseBodyLimit 524288
+ SecResponseBodyLimitAction ProcessPartial
+ SecDebugLogLevel 0
+ SecAuditEngine RelevantOnly
+ SecAuditLogRelevantStatus "^(?:5|4(?!04))"
+ SecAuditLogParts ABIJDEFHZ
+ SecAuditLogType Serial
+ SecArgumentSeparator &
+ SecCookieFormat 0
+<%- if scope.lookupvar('::osfamily') == 'Debian' -%>
+ SecDebugLog /var/log/apache2/modsec_debug.log
+ SecAuditLog /var/log/apache2/modsec_audit.log
+ SecTmpDir /var/cache/modsecurity
+ SecDataDir /var/cache/modsecurity
+<% else -%>
+ SecDebugLog /var/log/httpd/modsec_debug.log
+ SecAuditLog /var/log/httpd/modsec_audit.log
+ SecTmpDir /var/lib/mod_security
+ SecDataDir /var/lib/mod_security
+<% end -%>
+
diff --git a/templates/mod/security_crs.conf.erb b/templates/mod/security_crs.conf.erb
new file mode 100644
index 0000000000..016efc797e
--- /dev/null
+++ b/templates/mod/security_crs.conf.erb
@@ -0,0 +1,428 @@
+# ---------------------------------------------------------------
+# Core ModSecurity Rule Set ver.2.2.6
+# Copyright (C) 2006-2012 Trustwave All rights reserved.
+#
+# The OWASP ModSecurity Core Rule Set is distributed under
+# Apache Software License (ASL) version 2
+# Please see the enclosed LICENCE file for full details.
+# ---------------------------------------------------------------
+
+
+#
+# -- [[ Recommended Base Configuration ]] -------------------------------------------------
+#
+# The configuration directives/settings in this file are used to control
+# the OWASP ModSecurity CRS. These settings do **NOT** configure the main
+# ModSecurity settings such as:
+#
+# - SecRuleEngine
+# - SecRequestBodyAccess
+# - SecAuditEngine
+# - SecDebugLog
+#
+# You should use the modsecurity.conf-recommended file that comes with the
+# ModSecurity source code archive.
+#
+# Ref: http://mod-security.svn.sourceforge.net/viewvc/mod-security/m2/trunk/modsecurity.conf-recommended
+#
+
+
+#
+# -- [[ Rule Version ]] -------------------------------------------------------------------
+#
+# Rule version data is added to the "Producer" line of Section H of the Audit log:
+#
+# - Producer: ModSecurity for Apache/2.7.0-rc1 (http://www.modsecurity.org/); OWASP_CRS/2.2.4.
+#
+# Ref: https://sourceforge.net/apps/mediawiki/mod-security/index.php?title=Reference_Manual#SecComponentSignature
+#
+SecComponentSignature "OWASP_CRS/2.2.6"
+
+
+#
+# -- [[ Modes of Operation: Self-Contained vs. Collaborative Detection ]] -----------------
+#
+# Each detection rule uses the "block" action which will inherit the SecDefaultAction
+# specified below. Your settings here will determine which mode of operation you use.
+#
+# -- [[ Self-Contained Mode ]] --
+# Rules inherit the "deny" disruptive action. The first rule that matches will block.
+#
+# -- [[ Collaborative Detection Mode ]] --
+# This is a "delayed blocking" mode of operation where each matching rule will inherit
+# the "pass" action and will only contribute to anomaly scores. Transactional blocking
+# can be applied
+#
+# -- [[ Alert Logging Control ]] --
+# You have three options -
+#
+# - To log to both the Apache error_log and ModSecurity audit_log file use: "log"
+# - To log *only* to the ModSecurity audit_log file use: "nolog,auditlog"
+# - To log *only* to the Apache error_log file use: "log,noauditlog"
+#
+# Ref: http://blog.spiderlabs.com/2010/11/advanced-topic-of-the-week-traditional-vs-anomaly-scoring-detection-modes.html
+# Ref: https://sourceforge.net/apps/mediawiki/mod-security/index.php?title=Reference_Manual#SecDefaultAction
+#
+SecDefaultAction "phase:1,deny,log"
+
+
+#
+# -- [[ Collaborative Detection Severity Levels ]] ----------------------------------------
+#
+# These are the default scoring points for each severity level. You may
+# adjust these to you liking. These settings will be used in macro expansion
+# in the rules to increment the anomaly scores when rules match.
+#
+# These are the default Severity ratings (with anomaly scores) of the individual rules -
+#
+# - 2: Critical - Anomaly Score of 5.
+# Is the highest severity level possible without correlation. It is
+# normally generated by the web attack rules (40 level files).
+# - 3: Error - Anomaly Score of 4.
+# Is generated mostly from outbound leakage rules (50 level files).
+# - 4: Warning - Anomaly Score of 3.
+# Is generated by malicious client rules (35 level files).
+# - 5: Notice - Anomaly Score of 2.
+# Is generated by the Protocol policy and anomaly files.
+#
+SecAction \
+ "id:'900001', \
+ phase:1, \
+ t:none, \
+ setvar:tx.critical_anomaly_score=5, \
+ setvar:tx.error_anomaly_score=4, \
+ setvar:tx.warning_anomaly_score=3, \
+ setvar:tx.notice_anomaly_score=2, \
+ nolog, \
+ pass"
+
+
+#
+# -- [[ Collaborative Detection Scoring Threshold Levels ]] ------------------------------
+#
+# These variables are used in macro expansion in the 49 inbound blocking and 59
+# outbound blocking files.
+#
+# **MUST HAVE** ModSecurity v2.5.12 or higher to use macro expansion in numeric
+# operators. If you have an earlier version, edit the 49/59 files directly to
+# set the appropriate anomaly score levels.
+#
+# You should set the score to the proper threshold you would prefer. If set to "5"
+# it will work similarly to previous Mod CRS rules and will create an event in the error_log
+# file if there are any rules that match. If you would like to lessen the number of events
+# generated in the error_log file, you should increase the anomaly score threshold to
+# something like "20". This would only generate an event in the error_log file if
+# there are multiple lower severity rule matches or if any 1 higher severity item matches.
+#
+SecAction \
+ "id:'900002', \
+ phase:1, \
+ t:none, \
+ setvar:tx.inbound_anomaly_score_level=5, \
+ nolog, \
+ pass"
+
+
+SecAction \
+ "id:'900003', \
+ phase:1, \
+ t:none, \
+ setvar:tx.outbound_anomaly_score_level=4, \
+ nolog, \
+ pass"
+
+
+#
+# -- [[ Collaborative Detection Blocking ]] -----------------------------------------------
+#
+# This is a collaborative detection mode where each rule will increment an overall
+# anomaly score for the transaction. The scores are then evaluated in the following files:
+#
+# Inbound anomaly score - checked in the modsecurity_crs_49_inbound_blocking.conf file
+# Outbound anomaly score - checked in the modsecurity_crs_59_outbound_blocking.conf file
+#
+# If you want to use anomaly scoring mode, then uncomment this line.
+#
+#SecAction \
+ "id:'900004', \
+ phase:1, \
+ t:none, \
+ setvar:tx.anomaly_score_blocking=on, \
+ nolog, \
+ pass"
+
+
+#
+# -- [[ GeoIP Database ]] -----------------------------------------------------------------
+#
+# There are some rulesets that need to inspect the GEO data of the REMOTE_ADDR data.
+#
+# You must first download the MaxMind GeoIP Lite City DB -
+#
+# http://geolite.maxmind.com/download/geoip/database/GeoLiteCity.dat.gz
+#
+# You then need to define the proper path for the SecGeoLookupDb directive
+#
+# Ref: http://blog.spiderlabs.com/2010/10/detecting-malice-with-modsecurity-geolocation-data.html
+# Ref: http://blog.spiderlabs.com/2010/11/detecting-malice-with-modsecurity-ip-forensics.html
+#
+#SecGeoLookupDb /opt/modsecurity/lib/GeoLiteCity.dat
+
+#
+# -- [[ Regression Testing Mode ]] --------------------------------------------------------
+#
+# If you are going to run the regression testing mode, you should uncomment the
+# following rule. It will enable DetectionOnly mode for the SecRuleEngine and
+# will enable Response Header tagging so that the client testing script can see
+# which rule IDs have matched.
+#
+# You must specify the your source IP address where you will be running the tests
+# from.
+#
+#SecRule REMOTE_ADDR "@ipMatch 192.168.1.100" \
+ "id:'900005', \
+ phase:1, \
+ t:none, \
+ ctl:ruleEngine=DetectionOnly, \
+ setvar:tx.regression_testing=1, \
+ nolog, \
+ pass"
+
+
+#
+# -- [[ HTTP Policy Settings ]] ----------------------------------------------------------
+#
+# Set the following policy settings here and they will be propagated to the 23 rules
+# file (modsecurity_common_23_request_limits.conf) by using macro expansion.
+# If you run into false positives, you can adjust the settings here.
+#
+# Only the max number of args is uncommented by default as there are a high rate
+# of false positives. Uncomment the items you wish to set.
+#
+#
+# -- Maximum number of arguments in request limited
+SecAction \
+ "id:'900006', \
+ phase:1, \
+ t:none, \
+ setvar:tx.max_num_args=255, \
+ nolog, \
+ pass"
+
+#
+# -- Limit argument name length
+#SecAction \
+ "id:'900007', \
+ phase:1, \
+ t:none, \
+ setvar:tx.arg_name_length=100, \
+ nolog, \
+ pass"
+
+#
+# -- Limit value name length
+#SecAction \
+ "id:'900008', \
+ phase:1, \
+ t:none, \
+ setvar:tx.arg_length=400, \
+ nolog, \
+ pass"
+
+#
+# -- Limit arguments total length
+#SecAction \
+ "id:'900009', \
+ phase:1, \
+ t:none, \
+ setvar:tx.total_arg_length=64000, \
+ nolog, \
+ pass"
+
+#
+# -- Individual file size is limited
+#SecAction \
+ "id:'900010', \
+ phase:1, \
+ t:none, \
+ setvar:tx.max_file_size=1048576, \
+ nolog, \
+ pass"
+
+#
+# -- Combined file size is limited
+#SecAction \
+ "id:'900011', \
+ phase:1, \
+ t:none, \
+ setvar:tx.combined_file_sizes=1048576, \
+ nolog, \
+ pass"
+
+
+#
+# Set the following policy settings here and they will be propagated to the 30 rules
+# file (modsecurity_crs_30_http_policy.conf) by using macro expansion.
+# If you run into false positves, you can adjust the settings here.
+#
+SecAction \
+ "id:'900012', \
+ phase:1, \
+ t:none, \
+ setvar:'tx.allowed_methods=<%= @allowed_methods -%>', \
+ setvar:'tx.allowed_request_content_type=<%= @content_types -%>', \
+ setvar:'tx.allowed_http_versions=HTTP/0.9 HTTP/1.0 HTTP/1.1', \
+ setvar:'tx.restricted_extensions=<%= @restricted_extensions -%>', \
+ setvar:'tx.restricted_headers=<%= @restricted_headers -%>', \
+ nolog, \
+ pass"
+
+
+#
+# -- [[ Content Security Policy (CSP) Settings ]] -----------------------------------------
+#
+# The purpose of these settings is to send CSP response headers to
+# Mozilla FireFox users so that you can enforce how dynamic content
+# is used. CSP usage helps to prevent XSS attacks against your users.
+#
+# Reference Link:
+#
+# https://developer.mozilla.org/en/Security/CSP
+#
+# Uncomment this SecAction line if you want use CSP enforcement.
+# You need to set the appropriate directives and settings for your site/domain and
+# and activate the CSP file in the experimental_rules directory.
+#
+# Ref: http://blog.spiderlabs.com/2011/04/modsecurity-advanced-topic-of-the-week-integrating-content-security-policy-csp.html
+#
+#SecAction \
+ "id:'900013', \
+ phase:1, \
+ t:none, \
+ setvar:tx.csp_report_only=1, \
+ setvar:tx.csp_report_uri=/csp_violation_report, \
+ setenv:'csp_policy=allow \'self\'; img-src *.yoursite.com; media-src *.yoursite.com; style-src *.yoursite.com; frame-ancestors *.yoursite.com; script-src *.yoursite.com; report-uri %{tx.csp_report_uri}', \
+ nolog, \
+ pass"
+
+
+#
+# -- [[ Brute Force Protection ]] ---------------------------------------------------------
+#
+# If you are using the Brute Force Protection rule set, then uncomment the following
+# lines and set the following variables:
+# - Protected URLs: resources to protect (e.g. login pages) - set to your login page
+# - Burst Time Slice Interval: time interval window to monitor for bursts
+# - Request Threshold: request # threshold to trigger a burst
+# - Block Period: temporary block timeout
+#
+#SecAction \
+ "id:'900014', \
+ phase:1, \
+ t:none, \
+ setvar:'tx.brute_force_protected_urls=/login.jsp /partner_login.php', \
+ setvar:'tx.brute_force_burst_time_slice=60', \
+ setvar:'tx.brute_force_counter_threshold=10', \
+ setvar:'tx.brute_force_block_timeout=300', \
+ nolog, \
+ pass"
+
+
+#
+# -- [[ DoS Protection ]] ----------------------------------------------------------------
+#
+# If you are using the DoS Protection rule set, then uncomment the following
+# lines and set the following variables:
+# - Burst Time Slice Interval: time interval window to monitor for bursts
+# - Request Threshold: request # threshold to trigger a burst
+# - Block Period: temporary block timeout
+#
+#SecAction \
+ "id:'900015', \
+ phase:1, \
+ t:none, \
+ setvar:'tx.dos_burst_time_slice=60', \
+ setvar:'tx.dos_counter_threshold=100', \
+ setvar:'tx.dos_block_timeout=600', \
+ nolog, \
+ pass"
+
+
+#
+# -- [[ Check UTF enconding ]] -----------------------------------------------------------
+#
+# We only want to apply this check if UTF-8 encoding is actually used by the site, otherwise
+# it will result in false positives.
+#
+# Uncomment this line if your site uses UTF8 encoding
+#SecAction \
+ "id:'900016', \
+ phase:1, \
+ t:none, \
+ setvar:tx.crs_validate_utf8_encoding=1, \
+ nolog, \
+ pass"
+
+
+#
+# -- [[ Enable XML Body Parsing ]] -------------------------------------------------------
+#
+# The rules in this file will trigger the XML parser upon an XML request
+#
+# Initiate XML Processor in case of xml content-type
+#
+SecRule REQUEST_HEADERS:Content-Type "text/xml" \
+ "id:'900017', \
+ phase:1, \
+ t:none,t:lowercase, \
+ nolog, \
+ pass, \
+ chain"
+ SecRule REQBODY_PROCESSOR "!@streq XML" \
+ "ctl:requestBodyProcessor=XML"
+
+
+#
+# -- [[ Global and IP Collections ]] -----------------------------------------------------
+#
+# Create both Global and IP collections for rules to use
+# There are some CRS rules that assume that these two collections
+# have already been initiated.
+#
+SecRule REQUEST_HEADERS:User-Agent "^(.*)$" \
+ "id:'900018', \
+ phase:1, \
+ t:none,t:sha1,t:hexEncode, \
+ setvar:tx.ua_hash=%{matched_var}, \
+ nolog, \
+ pass"
+
+
+SecRule REQUEST_HEADERS:x-forwarded-for "^\b(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\b" \
+ "id:'900019', \
+ phase:1, \
+ t:none, \
+ capture, \
+ setvar:tx.real_ip=%{tx.1}, \
+ nolog, \
+ pass"
+
+
+SecRule &TX:REAL_IP "!@eq 0" \
+ "id:'900020', \
+ phase:1, \
+ t:none, \
+ initcol:global=global, \
+ initcol:ip=%{tx.real_ip}_%{tx.ua_hash}, \
+ nolog, \
+ pass"
+
+
+SecRule &TX:REAL_IP "@eq 0" \
+ "id:'900021', \
+ phase:1, \
+ t:none, \
+ initcol:global=global, \
+ initcol:ip=%{remote_addr}_%{tx.ua_hash}, \
+ nolog, \
+ pass"
diff --git a/templates/mod/ssl.conf.erb b/templates/mod/ssl.conf.erb
index e92e37e7a9..6fb25c16ee 100644
--- a/templates/mod/ssl.conf.erb
+++ b/templates/mod/ssl.conf.erb
@@ -1,13 +1,13 @@
SSLRandomSeed startup builtin
- SSLRandomSeed startup file:/dev/urandom 512
+ SSLRandomSeed startup file:/dev/urandom <%= @ssl_random_seed_bytes %>
SSLRandomSeed connect builtin
- SSLRandomSeed connect file:/dev/urandom 512
+ SSLRandomSeed connect file:/dev/urandom <%= @ssl_random_seed_bytes %>
AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl .crl
- SSLPassPhraseDialog builtin
+ SSLPassPhraseDialog <%= @ssl_pass_phrase_dialog %>
SSLSessionCache "shmcb:<%= @session_cache %>"
SSLSessionCacheTimeout 300
<% if @ssl_compression -%>
diff --git a/templates/mod/status.conf.erb b/templates/mod/status.conf.erb
index 84f2e03430..f02ed156ff 100644
--- a/templates/mod/status.conf.erb
+++ b/templates/mod/status.conf.erb
@@ -1,4 +1,4 @@
-
+>
SetHandler server-status
<%- if scope.function_versioncmp([@apache_version, '2.4']) >= 0 -%>
Require ip <%= Array(@allow_from).join(" ") %>
diff --git a/templates/vhost.conf.erb b/templates/vhost.conf.erb
deleted file mode 100644
index 859a3ae7f4..0000000000
--- a/templates/vhost.conf.erb
+++ /dev/null
@@ -1,69 +0,0 @@
-# ************************************
-# Vhost template in module puppetlabs-apache
-# Managed by Puppet
-# ************************************
-
->
- ServerName <%= @servername %>
-<% if @serveradmin -%>
- ServerAdmin <%= @serveradmin %>
-<% end -%>
-
- ## Vhost docroot
-<% if @virtual_docroot -%>
- VirtualDocumentRoot "<%= @virtual_docroot %>"
-<% else -%>
- DocumentRoot "<%= @docroot %>"
-<% end -%>
-<%= scope.function_template(['apache/vhost/_aliases.erb']) -%>
-
-<%= scope.function_template(['apache/vhost/_itk.erb']) -%>
-
-<% if @fallbackresource -%>
- FallbackResource <%= @fallbackresource %>
-<% end -%>
-<%- if @allow_encoded_slashes -%>
- AllowEncodedSlashes <%= @allow_encoded_slashes %>
-<%- end -%>
-
- ## Directories, there should at least be a declaration for <%= @docroot %>
-<%= scope.function_template(['apache/vhost/_directories.erb']) -%>
-
- ## Load additional static includes
-<% Array(@additional_includes).each do |include| -%>
- Include "<%= include %>"
-<% end -%>
-
- ## Logging
-<% if @error_log -%>
- ErrorLog "<%= @error_log_destination %>"
-<% end -%>
-<% if @log_level -%>
- LogLevel <%= @log_level %>
-<% end -%>
- ServerSignature Off
-<% if @access_log and @_access_log_env_var -%>
- CustomLog "<%= @access_log_destination %>" <%= @_access_log_format %> <%= @_access_log_env_var %>
-<% elsif @access_log -%>
- CustomLog "<%= @access_log_destination %>" <%= @_access_log_format %>
-<% end -%>
-<%= scope.function_template(['apache/vhost/_action.erb']) -%>
-<%= scope.function_template(['apache/vhost/_block.erb']) -%>
-<%= scope.function_template(['apache/vhost/_error_document.erb']) -%>
-<%= scope.function_template(['apache/vhost/_proxy.erb']) -%>
-<%= scope.function_template(['apache/vhost/_rack.erb']) -%>
-<%= scope.function_template(['apache/vhost/_redirect.erb']) -%>
-<%= scope.function_template(['apache/vhost/_rewrite.erb']) -%>
-<%= scope.function_template(['apache/vhost/_scriptalias.erb']) -%>
-<%= scope.function_template(['apache/vhost/_serveralias.erb']) -%>
-<%= scope.function_template(['apache/vhost/_setenv.erb']) -%>
-<%= scope.function_template(['apache/vhost/_ssl.erb']) -%>
-<%= scope.function_template(['apache/vhost/_suphp.erb']) -%>
-<%= scope.function_template(['apache/vhost/_php_admin.erb']) -%>
-<%= scope.function_template(['apache/vhost/_header.erb']) -%>
-<%= scope.function_template(['apache/vhost/_requestheader.erb']) -%>
-<%= scope.function_template(['apache/vhost/_wsgi.erb']) -%>
-<%= scope.function_template(['apache/vhost/_custom_fragment.erb']) -%>
-<%= scope.function_template(['apache/vhost/_fastcgi.erb']) -%>
-<%= scope.function_template(['apache/vhost/_suexec.erb']) -%>
-
diff --git a/templates/vhost/_access_log.erb b/templates/vhost/_access_log.erb
index 1ec47ff710..d1ec426a4a 100644
--- a/templates/vhost/_access_log.erb
+++ b/templates/vhost/_access_log.erb
@@ -1,5 +1,21 @@
-<% if @access_log and @_access_log_env_var -%>
- CustomLog "<%= @access_log_destination %>" <%= @_access_log_format %> <%= @_access_log_env_var %>
-<% elsif @access_log -%>
- CustomLog "<%= @access_log_destination %>" <%= @_access_log_format %>
+<% @_access_logs.each do |log| -%>
+<% env ||= "env=#{log['env']}" if log['env'] -%>
+<% env ||= '' -%>
+<% format ||= "\"#{log['format']}\"" if log['format'] -%>
+<% format ||= 'combined' -%>
+<% if log['file'] -%>
+<% if log['file'].chars.first == '/' -%>
+<% destination = "#{log['file']}" -%>
+<% else -%>
+<% destination = "#{@logroot}/#{log['file']}" -%>
+<% end -%>
+<% elsif log['syslog'] -%>
+<% destination = "syslog" -%>
+<% elsif log['pipe'] -%>
+<% destination = log['pipe'] -%>
+<% else -%>
+<% destination ||= "#{@logroot}/#{@name}_access_ssl.log" if @ssl -%>
+<% destination ||= "#{@logroot}/#{@name}_access.log" -%>
+<% end -%>
+ CustomLog "<%= destination %>" <%= format %> <%= env %>
<% end -%>
diff --git a/templates/vhost/_additional_includes.erb b/templates/vhost/_additional_includes.erb
index d4d5f91342..aa9f0fe351 100644
--- a/templates/vhost/_additional_includes.erb
+++ b/templates/vhost/_additional_includes.erb
@@ -1,5 +1,10 @@
<% Array(@additional_includes).each do |include| -%>
-
+
## Load additional static includes
- Include "<%= include %>"
+<%- if scope.function_versioncmp([@apache_version, '2.4']) >= 0 && @use_optional_includes -%>
+IncludeOptional "<%= include %>"
+<%- else -%>
+Include "<%= include %>"
+<%- end -%>
+
<% end -%>
diff --git a/templates/vhost/_allow_encoded_slashes.erb b/templates/vhost/_allow_encoded_slashes.erb
new file mode 100644
index 0000000000..40c73433b1
--- /dev/null
+++ b/templates/vhost/_allow_encoded_slashes.erb
@@ -0,0 +1,4 @@
+<%- if @allow_encoded_slashes -%>
+
+ AllowEncodedSlashes <%= @allow_encoded_slashes %>
+<%- end -%>
diff --git a/templates/vhost/_directories.erb b/templates/vhost/_directories.erb
index e756875f29..685dad9a1f 100644
--- a/templates/vhost/_directories.erb
+++ b/templates/vhost/_directories.erb
@@ -3,20 +3,20 @@
## Directories, there should at least be a declaration for <%= @docroot %>
<%- [@_directories].flatten.compact.each do |directory| -%>
<%- if directory['path'] and directory['path'] != '' -%>
- <%- if directory['provider'] and directory['provider'].match('(directory|location|files)') -%>
- <%- if /^(.*)match$/ =~ directory['provider'] -%>
- <%- provider = $1.capitalize + 'Match' -%>
- <%- else -%>
- <%- provider = directory['provider'].capitalize -%>
- <%- end -%>
- <%- else -%>
- <%- provider = 'Directory' -%>
- <%- end -%>
- <%- path = directory['path'] -%>
+ <%- if directory['provider'] and directory['provider'].match('(directory|location|files)') -%>
+ <%- if /^(.*)match$/ =~ directory['provider'] -%>
+ <%- provider = $1.capitalize + 'Match' -%>
+ <%- else -%>
+ <%- provider = directory['provider'].capitalize -%>
+ <%- end -%>
+ <%- else -%>
+ <%- provider = 'Directory' -%>
+ <%- end -%>
+ <%- path = directory['path'] -%>
<<%= provider %> "<%= path %>">
- <%- if directory['headers'] -%>
- <%- Array(directory['headers']).each do |header| -%>
+ <%- if directory['headers'] -%>
+ <%- Array(directory['headers']).each do |header| -%>
Header <%= header %>
<%- end -%>
<%- end -%>
@@ -87,14 +87,25 @@
<%- if directory['passenger_enabled'] and directory['passenger_enabled'] != '' -%>
PassengerEnabled <%= directory['passenger_enabled'] %>
<%- end -%>
+ <%- if directory['php_flags'] and ! directory['php_flags'].empty? -%>
+ <%- directory['php_flags'].sort.each do |flag,value| -%>
+ <%- value = if value =~ /true|yes|on|1/i then 'on' else 'off' end -%>
+ php_flag <%= "#{flag} #{value}" %>
+ <%- end -%>
+ <%- end -%>
+ <%- if directory['php_values'] and ! directory['php_values'].empty? -%>
+ <%- directory['php_values'].sort.each do |key,value| -%>
+ php_value <%= "#{key} #{value}" %>
+ <%- end -%>
+ <%- end -%>
<%- if directory['php_admin_flags'] and ! directory['php_admin_flags'].empty? -%>
- <%- directory['php_admin_flags'].each do |flag,value| -%>
- <%- value = if value =~ /true|yes|on|1/i then 'on' else 'off' end -%>
+ <%- directory['php_admin_flags'].sort.each do |flag,value| -%>
+ <%- value = if value =~ /true|yes|on|1/i then 'on' else 'off' end -%>
php_admin_flag <%= "#{flag} #{value}" %>
<%- end -%>
<%- end -%>
<%- if directory['php_admin_values'] and ! directory['php_admin_values'].empty? -%>
- <%- directory['php_admin_values'].each do |key,value| -%>
+ <%- directory['php_admin_values'].sort.each do |key,value| -%>
php_admin_value <%= "#{key} #{value}" %>
<%- end -%>
<%- end -%>
@@ -195,6 +206,11 @@
<%- end -%>
<%- end -%>
<%- end -%>
+ <%- if directory['setenv'] -%>
+ <%- Array(directory['setenv']).each do |setenv| -%>
+ SetEnv <%= setenv %>
+ <%- end -%>
+ <%- end -%>
<%- if @shibboleth_enabled -%>
<%- if directory['shib_require_session'] and ! directory['shib_require_session'].empty? -%>
ShibRequireSession <%= directory['shib_require_session'] %>
diff --git a/templates/vhost/_php.erb b/templates/vhost/_php.erb
new file mode 100644
index 0000000000..369fdb7f92
--- /dev/null
+++ b/templates/vhost/_php.erb
@@ -0,0 +1,12 @@
+<% if @php_values and not @php_values.empty? -%>
+ <%- @php_values.sort.each do |key,value| -%>
+ php_value <%= key %> <%= value %>
+ <%- end -%>
+<% end -%>
+<% if @php_flags and not @php_flags.empty? -%>
+ <%- @php_flags.sort.each do |key,flag| -%>
+ <%-# normalize flag -%>
+ <%- if flag =~ /true|yes|on|1/i then flag = 'on' else flag = 'off' end -%>
+ php_flag <%= key %> <%= flag %>
+ <%- end -%>
+<% end -%>
\ No newline at end of file
diff --git a/templates/vhost/_security.erb b/templates/vhost/_security.erb
new file mode 100644
index 0000000000..5ab0a5b5da
--- /dev/null
+++ b/templates/vhost/_security.erb
@@ -0,0 +1,20 @@
+<% if @modsec_disable_vhost -%>
+ SecRuleEngine Off
+<% end -%>
+<% if @_modsec_disable_ids.is_a?(Hash) -%>
+<% @_modsec_disable_ids.each do |location,rules| -%>
+ >
+<% Array(rules).each do |rule| -%>
+ SecRuleRemoveById <%= rule %>
+<% end -%>
+
+<% end -%>
+<% end -%>
+<% ips = Array(@modsec_disable_ips).join(',') %>
+<% if ips != '' %>
+ SecRule REMOTE_ADDR "<%= ips %>" "nolog,allow,id:1234123455"
+ SecAction "phase:2,pass,nolog,id:1234123456"
+<% end -%>
+<% if @modsec_body_limit -%>
+ SecRequestBodyLimit <%= @modsec_body_limit %>
+<% end -%>
diff --git a/templates/vhost/_wsgi.erb b/templates/vhost/_wsgi.erb
index a0d4ded654..9f01d40910 100644
--- a/templates/vhost/_wsgi.erb
+++ b/templates/vhost/_wsgi.erb
@@ -13,9 +13,9 @@
WSGIProcessGroup <%= @wsgi_process_group %>
<% end -%>
<% if @wsgi_script_aliases and ! @wsgi_script_aliases.empty? -%>
- <%- @wsgi_script_aliases.each do |a, p| -%>
- <%- if a != '' and p != ''-%>
- WSGIScriptAlias <%= a %> "<%= p %>"
+ <%- @wsgi_script_aliases.keys.sort.each do |key| -%>
+ <%- if key != '' and @wsgi_script_aliases[key] != ''-%>
+ WSGIScriptAlias <%= key %> "<%= @wsgi_script_aliases[key] %>"
<%- end -%>
<%- end -%>
<% end -%>